Latest news with #ZakDoffman
Forbes
19-07-2025
- Forbes
Delete Any Emails That Include These Images On Your Phone Or PC
You will not see this attack. getty Republished on July 19 with new analysis into this dangerous image email attack. Here we go again. There's a fast growing threat in your inbox that's hard to detect — even for security software on your PC. This has 'seemingly come out of nowhere,' but you need to be aware. And it means deleting a raft of incoming emails. The new warning comes courtesy of Ontinue , which says 'threat actors are increasingly leveraging Scalable Vector Graphics (SVG) files as a delivery vector for JavaScript-based redirect attacks.' Plenty of these images, 'commonly treated as harmless' contain 'embedded script elements' that lead to browser redirects. And that's a huge risk. While these images might be .SVG attachments, as we have seen before, they could also be links to external images pulled into the email. And the campaign also relies on spoofed domains and email lures to trick users into opening and engaging. Forbes Apple's Next iPhone Upgrade May Be Bad News For Google By Zak Doffman As Sophos explains, the SVG file format 'is designed as a method to draw resizable, vector-based images on a computer. By default, SVG files open in the default browser on Windows computers. But SVG files are not just composed of binary data, like the more familiar JPEG, PNG, or BMP file formats. SVG files contain text instructions in an XML format for drawing their pictures in a browser window.' VIPRE warns that 'up until this point, SVGs have been recognized by email security tools as generally benign image files, which is why attackers are now having so much success hiding their nefarious exploits in them.' Looking at these latest attacks, SlashNext's J Stephen Kowski told me 'when you open or preview these 'images,' they can secretly redirect your browser to dangerous websites without you knowing.' That means you need to be 'extra careful' with images. Because these attackers leverage spoofed domains and senders to trick you, it isn't as easy as just avoiding emails from unknown senders. Instead, you should delete any email with an .SVG attachment unless you're expecting it. And you should allow your browser to block external images until you're certain of their origin. Kowski says these emails will also likely be 'pushy about viewing the image right away,' and while 'your email provider's built-in security features, such as spam filtering and safe attachments, can help, they're not perfect against these newer tricks.' Jason Soroko from Sectigo goes even further, warning security teams to 'treat every inbound SVG as a potential executable,' as the surge in such attacks continues. The real threat though lies in user complacency. SVG attacks, VIPRE says, are now tussling with PDFs to become 'attackers' favorite attachments of choice.' These are only images, most users assume, and so no click-throughs, no harm. Forbes Apple Warning—Do Not Make These Calls On Your iPhone By Zak Doffman Bambenek Consulting's John Bambenek says this is 'a fresh spin on the technique of using image files for delivering suspect content, in this case, malicious PDFs. The attackers have to rely on complacency ('it's only an image, it doesn't execute code') to lull organizations into accepting this content and getting it on the inside of a network.' Ontinue says 'the observed targets of this campaign fall into B2B Service Providers, including the ones handling valuable Corporate Data regularly, including Financial and Employee data, Utilities, Software-as-a-Service providers that are great social engineering targets as they expect to receive a high volume of emails.' The payload itself 'is delivered via an .SVG file that contains a JavaScript block hidden within a CDATA section. The embedded code uses a static XOR key to decrypt a secondary payload at runtime. This decoded script reconstructs and executes a redirect command using the Function() constructor.' And the team warns 'this technique demonstrates how adversaries are shifting away from executable payloads and towards smuggling (HTML and now SVG) techniques. By embedding script logic into image formats and using trusted browser functions, the attack chain avoids triggering traditional behavioral or signature-based alerts.' The emails containing the attachments or links will be simple, 'using a minimal format to avoid detection and provoke curiosity or interaction.' Hijacking poorly protected domains or spoofing others with special characters enhances the lure. 'While this report and research is valuable to enterprises,' Bambenek says, 'and the search valuable for hunt teams, organizations without a security staff or end consumers will remain vulnerable to conventional cybercrime with this technique.' 'This SVG attack vector is exactly what we've been tracking,' Kowski warns. 'Attackers have exhausted much of the text-based social engineering playbook over the last ten years and are now getting creative with content payloads to execute malicious code.' And this is easily done because 'attackers can easily spoof trusted senders, making recipients more likely to open what appears to be an innocent image file.' Forbes Do Not Use This WiFi Setting On Your iPhone Or Android Phone By Zak Doffman 'The beauty of SVG files from an attacker's perspective,' he told me, 'is that they look like harmless images but can contain embedded JavaScript that runs the moment someone opens the file in a browser, bypassing traditional email security that focuses on executable attachments.' Which means users need a new defensive playbook. And so the advice is just as simple. If you're not expecting an email which includes image links or .SVG attachments, delete them from your inbox. 'This campaign highlights a creative pivot in attacker methodology,' the team says, 'using benign file formats to hide malicious logic and evade established detection controls.' Which is another way of saying that you're your own best defense.
Forbes
16-07-2025
- Forbes
Are These Dangerous Apps Already Hacking Your Smartphone?
Are these apps already attacking your phone? getty There's a dangerous game of hide and seek taking place on your phone. The tradecraft behind the malicious app industry is fast becoming as much about hiding as attacking. If you can't be seen, then you can't be deleted. And more damage will be done. That's the crux of the new warning from Zimperium, whose zLabs team followed up on Human's report into Konfety evil twin attacks that I covered a year ago. 'At its peak,' Human said, 'Konfety-related programmatic bids reached 10 billion requests per day.' Forbes Microsoft Confirms New Upgrade Deadlines—'Move To Windows 11' By Zak Doffman 'Bids per day' because this is an adware (advertising fraud) attack. The ruse is simple. The bad actors create two versions of an app with the same name. One is benign and is uploaded to Google's Play Store, with some basic, barely useful features. The second 'evil twin' version of the app is dangerous, and is distributed via other channels. The evil twin overloads its host phone with unwanted ads, often taking up the entire screen, making it difficult to actually operate the phone. This generates revenue for the bad actors, tricking legitimate advertisers into paying for fraudulently delivered ads. Now, 'as part of our ongoing mission to identify emerging threats to mobile security,' Zimperium says it has been 'actively tracking a new, sophisticated variant' of the threat. The zLabs team says the threat actors behind Konfety 'consistently alter their targeted ad networks and update their methods to evade detection.' In the latest variants of the malware, this includes 'specifically tampering with the APK's ZIP structure… to bypass security checks and significantly complicate reverse engineering efforts, making detection and analysis more challenging for security professionals.' The scale of this adware industry is out of control. Not all attacks operate in this scale way, but they are mostly (but not always) driven by apps sideloaded from outside the official app stores. That's the easiest way to stay safe — stop sideloading. Forbes Google Warns All Chrome Users—Update Now As Attacks Underway By Zak Doffman That's why Google's new Advanced Protection Mode that comes with Android 16 restricts sideloading with no option to disable or workaround that protection. Apps installed in this way carry significantly more risks to users, phones and data. 'Konfety's operations depict the latest in a series of adaptations from ad fraudsters to cloak their activities using novel tactics that enable them to evade detection,' Human said last year. The new report from Zimperium shows nothing at all has changed.
Forbes
08-05-2025
- Forbes
Google's Gmail Warning—If You See This Message It's An Attack
You have been warned — this is the danger sign. dpa/picture alliance via Getty Images Google has confirmed the latest attack on Gmail users, another case of devious social engineering exploiting platform vulnerabilities. Again, the objective of the attack was to take-over the victim's email account, again it seemed to come from Google itself, again it has kept the headlines coming given Gmail's scale and global reach. Google's advice is clear, make sure you watch for the telltale message that's a clear sign of an attack. You're likely familiar with the details of the latest attack by now, with 'emails [that] appear to come from a legitimate Google account service, asking users to follow a link to take action. However, clicking on the link could lock you out of your account.' Those are the details you can ignore. The ways in which attackers can fake Google emails, the ways in which phishing sites can be hosted on legitimate Google domains. Forbes Microsoft's Free Windows Upgrade—Stop 60% Of Attacks On Your PC By Zak Doffman Google has patched these latest security holes, just as it patched security holes in February when a similar attack made headlines. This is a game if cat and mouse. As soon as Google takes action, hackers look for another way through. And they inevitably succeed. Watching a rearview mirror to guard against a repeat attack is pointless. This is about prevention, and fortunately one simple piece of advice foils all these attacks. For that reason Google is understandably frustrated. Gmail users are all now looking for specific emails from a specific Google address to keep safe. Don't. It's much more basic than that. As Google told me, 'please reiterate to your readers that Google will not contact you to reset your password or troubleshoot account issues.' It's really that simple. That's al you need to know. And the same applies to Microsoft and Apple and Meta and others. That could be a phone call or an email. It's the same. If you receive an unsolicited message of any kind from Google's technical support, it's an attack, a scam, a threat to your account, your finances, your data, your other platforms that rely on a Gmail address for a login or account recovery. Bad news all round. In the same way, the FBI's recent warning that scammers are impersonating its own staff to trick victims and the broader threat from law enforcement impersonation prompts the same warning — law enforcement will never reach out in this way. Forbes Google Starts Scanning All Your Emails After Gmail Upgrade By Zak Doffman And the raft of banking scams are also the same. Account holders contacted and told to move money to a safe account to protect it from a (made-up) attack. These so-called phantom hacker attacks have also solicited an FBI warning. That pattern, that a bank or agency or tech support desk reaches out is the telltale sign. You must never engage with those emails or calls. Reach out to the relevant organization through usual channels and check — it's almost 100% certain they'll advise it's a scam. That simple warning from Google, that it will never reach out to discuss an account issue or security risk, would have stopped these recent attacks at source. It's the single most critical piece of advice for Gmail's 2 billion users right now. And in addition, you should also set up passkeys on your account given all this furor, as that means even if you're tricked, your account should be protected from whatever comes next.
Forbes
07-05-2025
- Forbes
Samsung Galaxy Deadline—You Have 3 Weeks To Update Your Phone
Samsung's new update deadline confirmed. AFP via Getty Images Android is under attack — again. Google confirmed as much this week, before issuing an immediate update for its Pixel phones. Now Samsung has done the same, releasing details of its May security update with the fix included. There's a nasty twist with this one, though, with Samsung's phones particularly vulnerable to the attack. Meta was first to disclose CVE-2025-27363, detailing an arbitrary code execution vulnerability in FreeType font rendering software that 'may have been exploited in the wild.' Now Google says Android phones have been attacked. Forbes Samsung's Android Mistake—Do Not Leave Your Galaxy At Risk By Zak Doffman The twist is that Android's security bulletin says the fix only applies to Android 13 and 14, suggesting Android 15 has already been addressed. That means Samsungs are vulnerable where Pixels are not, given that the Galaxy-maker was late to the party with One UI 7's Android 15 rollout, and millions of phones have not yet been upgraded. Now America's cyber defense agency has issued an update warning for all affected devices, with a May 27 deadline to either update or stop using phones. The formal mandate applies just to U.S. federal employees, but CISA's remit is 'to help every organization better manage vulnerabilities and keep pace with threat activity.' The good news with this vulnerability and fix is that Samsung has been almost as fast as Google in confirming the fix. That's not always the case. We have seen multiple occasions where Samsungs have run a month behind Pixels with these updates, even with a CIAS mandate in place which Samsung devices have missed. Clearly, this only applies to those Galaxy phones yet to upgrade to Android 15, and that upgrade satisfies the update mandate per Android's security bulletin. If you're sticking with Android 14 for now — by choice or otherwise, then ensure you apply the update as soon as it's made available for your model, region and carrier. You should be able to meet the deadline, given it's late in the month. Forbes Google Starts Scanning All Your Emails After Gmail Upgrade By Zak Doffman CISA warns that 'FreeType contains an out-of-bounds write vulnerability when attempting to parse font subglyph structures related to TrueType GX and variable font files that may allow for arbitrary code execution.' Google explains this 'could lead to local code execution with no additional execution privileges needed,' and that 'user interaction is not needed for exploitation.' All of which means you need to take this seriously.
Forbes
07-05-2025
- Business
- Forbes
Google's Gmail Upgrade—You Must Decide If This Goes Too Far
Decision time for 2 billion users. NurPhoto via Getty Images Google is changing Gmail. Putting aside the procession of recent attacks, some of which seemed to come from Google itself, the biggest threat could come from within. This leaves 2 billion users of the world's most popular email platform with a decision to make — and that decision is getting more critical and more difficult. We're talking AI, and the accelerating updates to Gmail — and other platforms — as new AI features are added into the mix. We know that AI is driving a new tidal wave of threats from scams, malware and phishing attacks. But what we don't yet know is how safe and secure the exposure of personal data to corporate, cloud-based AI processing will turn out to be, once it has all bedded down and been exposed to leaks and attacks. Forbes Delete Any Texts On Your Phone That Include These Messages By Zak Doffman Google has confirmed its latest AI upgrade is now here. 'Responding to email is now faster and better with Contextual Smart Replies," the company says. These are 'powered by Gemini' and 'generate even more detailed and relevant replies, based on the context of the email thread, ensuring your reply is addressing the issues at hand.' Absent end-to-end encryption, which doesn't work outside walled garden platforms or enterprise systems, email is not an inherently private and secure medium. And so you should be wary of what you send. But even so, AI reviewing an entire email thread — potentially multiple threads — to formulate a smart reply takes us to a new level. Google explains that 'if you're short on time or need help finding the right words, Gemini can analyze the context of an email and offer more detailed responses to fully capture the intent of your message.' You will be given a choice of what to send, after Gemini has 'taken the full content of the email thread into consideration.' Contextual replies Google This is available for Workspace Business and Enterprise editions, and Google says that it can be enabled by Admins in Gemini feature settings and by end users enabling 'smart features and personalization." Google also cautions that 'Gemini feature suggestions don't represent Google's views, and should not be attributed to Google," that users should not rely on Gemini features as medical, legal, financial or other professional advice," and that 'Gemini features may suggest inaccurate or inappropriate information.' This is clearly clever and helpful, but it should prompt some thought as how far is too far. Google is a corporation, and the fear that its platforms — and others — will now use AI to scrutinize private, confidential, secure information warrants reflection. Forbes Has Your Phone Been Hacked—This New Update Lets You Know By Zak Doffman Google provides opt-outs and privacy guidance for all these features. It's down to you and the companies you work for to decide what happens next. As I've noted before, there's an interesting twist to this debate. Google's addition of quasi end-to-end encryption to Gmail stops AI working on those emails. This even includes its new AI driven relevancy search. That's because Google (rightly) can't see encrypted emails. That neatly frames the debate. Privacy or not — it's decision time.
