That email with the authentic Microsoft address, it's still Phishing Hackers Exploit DNS Misconfigurations to Hijack Trusted Domains. The CISA Leadership Exodus leaves the agency in crisis and X gets pod y Cybersecurity and fraud. Both need to be designed in and not bolted on. This is Cybersecurity Today. I'm your host, Jim Love. If you've recently gotten an email from Microsoft asking you to take some action like updating Windows or confirming your account, take a closer look.
it could be a phishing scam. But like any good cybersecurity pro you checked and the email address is authentic. It's still a fake. According to a new report from Forbes, some Windows users are receiving emails that appear to come directly from Microsoft. They look legitimate. The sender email is authentic. They have proper branding and authentic looking links.
The only giveaway might be that urgent sounding language, and if you click those links or download the attachments, you could be installing malware or turning over your login credentials. What's especially troubling is that the email design so closely mimics real messages from Microsoft, making it harder for even savvy users to spot the difference. This new wave of impersonation emails are better disguised and more targeted.
We saw an earlier version of this a few months back when someone was able to manipulate a PayPal feature to get phishing emails to originate from PayPal's own servers. It appears that this new wave of fake emails from Microsoft may have found a way to hijack Microsoft's notification system. We don't know for certain. But the resulting email looks totally authentic, and because Microsoft's name carries weight, people are more likely to engage without questioning the source.
Cybersecurity analyst, Zach Doman flagged this in his Forbes column, noting that attackers are banking on this trust, and of course, the old judgment killer urgency to get users to act without thinking. This is gonna change a lot of training programs. We often say that users should only respond to messages from trusted sources. We train them to look closely at URLs and email addresses, but this is no longer enough. It looks like we're gonna have to move them towards a true zero trust policy.
My advice has always been when you get a notice from anybody bank. Government, corporation, whatever, go independently to their website. Never clicking a link that you got, but going there directly and finding information that you need there. But that can't cover all communications. So we're all gonna be back to the drawing board on this one. Personally, I'd love to hear your ideas about what you are doing.
A hacking group known as Hazy Hawk is exploiting misconfigured DNS records to hijack legitimate domains and serve malware from what should be trusted web addresses. According to new research from a firm called Infoblox, the campaign active since at least September, 2023, is notable for abusing a common DNS oversight, dangling CNAME records. Hazy Hawk suspected to operate out of Russia or Eastern Europe. Scans for expired third party services still listed in a domain's DNS records.
When they find one, they quickly register the expired service and take control of the subdomain. This lets them use a trusted brand's domain to host fake login pages and deliver malware without triggering the usual red flags for end users or even email filters. infoblocks researchers said that this method is especially dangerous because of the hijacked domains retaining their original TLS certificates preserving the appearance of legitimacy.
Victims so far include multiple organizations in the education, telecom, finance, and even government sectors. Infoblox's report said these aren't low effort phishing sites. They're cloaked behind well-known names, running on H-T-T-P-S with valid certificates and often escape detection for weeks. The broader concern is how widespread these misconfigurations are. Infoblox warns that many companies don't routinely audit their DNS records after decommissioning third party tools or services.
That oversight creates an open door for attackers to quietly hijack their infrastructure. And while Hazy Hawk isn't the first group to use dangling DNS records, the scale and persistence of this new campaign suggests it's becoming a mainstream tactic.
Organizations should regularly audit DNS entries, especially CNAME and TXT records referencing third party services, expired domains should be cleaned up immediately, and automated tools can help flag potential hijack risks before attackers exploit them. Expired domain should be cleaned up immediately, and automated tools can help flag potential hijack risks before attackers exploit them.
for those of you who want a very detailed look at this issue, you can go to infoblox.com and search for forgotten DNS records. There's also a link in the show notes as well. Nearly every top official at the cybersecurity and infrastructure security agency CISA is leaving or has already left in what appears to be a sweeping purge under the Trump Administration's government downsizing campaign.
The loss of so many leaders at once is sparking deep concern about the agency's ability to function during a time of escalating foreign cyber threats. According to an internal email obtained by Cybersecurity Dive five of Cs a's six operational divisions and six of its 10 regional offices will lose their top leaders by the end of May. The shakeup also hits CISA's National Field Teams directors in six regions, along with key deputies are stepping down. Or have already departed.
These field leaders were instrumental in building trust with state, local, and private sector partners across the US and their exit signals a major setback for a's national reach and impact CI a's back office leadership isn't spared either. The agency's chief strategy officer, chief financial Officer, chief contracting officer, and chief Human Capital Officer are also leaving most of them by May 30th. morale is suffering.
One CISA staffer said there's a lot of anxiety around when the cuts and departures will finally stop and we can move forward as an agency. Another employee, put it more bluntly, it feels like the wrong people are leaving. All of these departures make it feel like people are leaving the mission and creating a vacuum.
Former CSA leader, Suzanne Spalding called the loss of institutional knowledge, sad and maddening, warning that the vacuum of experience will leave the nation less secure and resilient. Executive director Bridgette Bean, issued a statement reaffirming commitment to its mission saying the agency has the right team in place, and it's doubling down on protecting critical infrastructure.
But with the top talent walking out the door, that message is being met with, let's just say, growing skepticism inside and outside the agency. And this is more than a personnel shuffle With senior leadership across the board, exiting, America's leading cyber defense agency may be entering one of the most vulnerable moments in its history. Just as global tensions are rising and digital threats are mounting. For now, the question isn't who's leaving, it's who will be left.
And CISA is also an agency that many cyber professionals depend on as a resource. There's a real danger that might be coming to an end. When Elon Musk launched X'S Creator Revenue Sharing Program, the idea was simple pay premium users based on their engagement to keep them active. After all, users were paying $8 a month for verification and they could earn money when other premium users interact with their content. Sounds reasonable, right?
Well, it created a perfect target for fraud Eight individuals operating from a small office in downtown Hanoi built what amounts to be a sophisticated fraud machine. Here's their three step process. First, they stole identities to create 125 fake US bank accounts and hundreds of fake X profiles. Secondly, they used software to automatically generate content and make these fake accounts like repost and engage with others, creating completely artificial engagement.
Third, they collected payouts from X based on this fake activity, funneling money through over 1700 transactions across multiple payment processors to Vietnamese banks. But here's what makes this really interesting from a cybersecurity perspective. They didn't just commit fraud, they commercialized it. They created tools like XGPT tool and sold their techniques across YouTube, TikTok, and other platforms, essentially running fraud as a service.
Ex's private investigators finally tracked them down through the payment trail when payment processors, ping pong, and Pioneer turned over identity documents. Investigators found the eight defendants in Hanoi. A federal lawsuit was filed this week seeking to recover the stolen funds. This case highlights critical vulnerabilities in modern platforms. Any system that automatically pays users based on digital metrics becomes a honeypot for fraudsters.
The attackers were able to reverse Engineer X's engagement algorithm and exploit weak identity verification in payment systems for cybersecurity professionals. This demonstrates why behavioral analytics and fraud detection must be built into reward systems from day one, not added as an afterthought. When you combine AI driven engagement with financial incentives, you create attractive targets for sophisticated cyber criminals.
If social media companies get more sophisticated in monetizing user engagement, cyber criminals are going to evolve their techniques as well. the Vietnamese Qlik Farm case serves as a reminder that in cybersecurity, the most sophisticated attacks often exploit the simplest system incentives. Every automated reward system needs fraud prevention built in from the ground up. And that's our show for today. Love to hear what you think.
You can reach me at [email protected] or on LinkedIn, or if you're watching this on YouTube, just drop a note under the video. And if you're enjoying this content, we'd love it if you recommend it to a friend. And if you can help us out financially with a small donation at buy me a coffee.com/tech podcast, that's buy me a coffee.com/tech podcast, it'll really help with the expenses on the show. I'm your host, Jim Love. Thanks for listening.