I've noticed on some scam forums and subreddits I frequent that scammers have been using target site's own support searches to redirect users to scam phone numbers.
On both Ticketmaster and Facebook, and many other sites, when you perform a search on their support site it spits back your query in big letters at the top of the page. If you craft the correct search and then buy Google Ads pretending to be Ticketmaster, then you can redirect users to your call center and scam them. And because they link for your ad actually links to Ticketmaster the ad passes validation and appears to be a legit link in the eyes of Google.
So, I craft a search where the search query is “call 1 800 scam”, then I buy a google ad with key word of “ticketmaster help”, the ad links to real ticketmaster with my query, and google shows that ad to someone having trouble and hey presto they call my scam line at 4 quid a minute from their mobile?
Yuck all round. I mean ticketmaster is just a sin eater for greedy popstars but yuck ..
jancsika · 8m ago
> Yuck all round.
Yes, but also it's an impressive digital Jedi mind trick on a website.
signs a question mark with hand
"This is the support number you're looking for."
And the victim is extra primed here because so many companies make it nearly impossible to talk to a human. Yikes!
Almost seems like there's room here for a grey hat to come in and use this trick to do a good faith job trying to help the customer through their problem. Then tell them at the end that a recent anti-trust suit requires them to tell the customer about alternate independent venues in their area where they can support live music.
albertgoeswoof · 12m ago
But why does google allow unverified owners of a domain to buy ads for it? Surely only ticketmaster or agencies approved by ticket master should be allowed to do this?
levocardia · 8m ago
Wow. Programmatic SEO and its consequences. Genius...
RGamma · 1h ago
How desperate one has to be...
OkGoDoIt · 16m ago
Have you tried getting ticketing support from Ticketmaster? Even a sketchy phone number is better than no option at all…
SoftTalker · 2h ago
Among the common vulnerabilities listed:
> Outdated Wordpress plugins and CMS systems
No surprise, having worked in edu the following scenario was very common:
1) Researcher gets a grant for a project
2) Grad student sets up a Drupal site for the project
3) Things are maintained and updated for a couple of years
4) Grant runs out, project wraps up, student graduates, everyone forgets about the server which sits unattended and unmaintained.
Still happens, but most universites have really clamped down on the ability to just stand up a web server on the network. Many are requiring everything to be on a centrally managed enterprise CMS which is a PITA but that's the fallout for too much sloppy administration.
semi-extrinsic · 1h ago
At my old university ~15 years ago, all IPs of all computers were public IPV4 addresses. Any computer plugged in to any ethernet port on campus was given such a "quasi-static" IP address. All normal ports were open - ssh, http(s), you name it. It was the OG zero trust architecture.
foobarian · 48m ago
Ah the good old days of putting my head down at my desk lulled into a nap by the once-a-second sounds of ssh login attempt logs being written to the spinning rust drive...
yjftsjthsd-h · 1h ago
> At my old university ~15 years ago, all IPs of all computers were public IPV4 addresses. Any computer plugged in to any ethernet port on campus was given such a "quasi-static" IP address.
Well that's fine; my school did the same thing and other than feeling wasteful there was no-
> All normal ports were open - ssh, http(s), you name it. It was the OG zero trust architecture.
Oh. Yeah, open ports by default is... and interesting life choice.
fecal_henge · 1h ago
This just got cancelled at my institution. I could have retained it if I argued strongly enough.
kevin_thibedeau · 23m ago
The low friction solution is to serve public_html from a home dir and direct users to generate static sites.
notyourwork · 1h ago
Yep, I remember having ssh access to production servers from a non-work machine at a well known university.
We could also get external ips and connectivity without much supervision. Core security needs to be prioritized to avoid this from happening.
leftcenterright · 2h ago
> Norton, Kaspersky, Zscaler, F-secure, NordVPN, Virustotal, Palo Alto: all of them marked these links as safe.
This is sad to see, these tools are forced down so many companies in name of "compliance" while totally not worth the maintenance and cost overhead. Apparently they haven't got any better in the last decade.
Muromec · 59m ago
Well, that's exactly the difference between complience and security
charcircuit · 2h ago
I'm curious if the link inside the pdf would have been detected.
vin10 · 1h ago
It is the same for nested links as well. They mostly have a chain of links, each one taking you to a new one with hop count ranging anywhere from 5 up to 10 or more.
gitroom · 2h ago
damn, i remember seeing old servers just getting dusty and full of holes after the student left. kinda crazy how much messy stuff is hiding in corners like that lol
3abiton · 1h ago
>
I have been advised not to disclose specific vulnerabilities since the parties involved are not most friendly and transparent in handling security reports. While most of these got reported and some even got fixed, I can only disclose high-level details of the compromise path. Some just ghosted me after conveniently fixing the flaws, and one even gave me a phone call, which was somewhat scary and perhaps not worth the adrenaline.
What an unprofessional sysadmin move, borderline infuriating.
Alex-Programs · 1h ago
Is it just me or is cybersecurity... Calming down? I feel like a few years ago there was constant news of ransomware, intrusions, vulnerabilities, etc, but more recently the defensive side seems to have the upper hand.
chelmzy · 21m ago
Not particularly. The only thing I have noticed in the past decade is the decline of the "American Hacker". Most groups are foreign but will partner with younger Americans for social engineering (ex. Scattered Spider). You just don't have people like Albert Gonzalez/Stephen Watt in America now. However, I suspect that many American hackers have shifted to targeting overseas countries that are not friendly with the US.
could someone with legal/data-privacy expertise comment if this would be something they have to disclose under data breach disclosure laws?
Technically it might not be a "data leak", but it very well could result in one if arbitrary content (including js?) can be uploaded to these webpages?
DyslexicAtheist · 1h ago
they've been contacted through the "proper channels" over 18 months ago by several (more than 1) security researchers.
After some people started publicly naming and shaming on LinkedIn and tagging ENISA, the issue got some exposure, but still was not fixed. It only made it more evident that several people independently reported these issues, and they became aware of peers stumbling over the issue. Still nothing happened.
ENISA is supposed to act as a CNA and expects to be notified of data breaches from EU based orgs for PSIRT / CSIRT as part of the Cybersec Resiliance Act and other laws.
Would I trust that vulnerability data that gets reported as a CVE, or a breach notification is safe with ENSIA ?
... feck no!
Would I trust that documents that europa.eu hosts on its infra are authentic? (such as security-compliance documents telling orgs how to properly implement security, but literally any public communication under one of the domains)
... hecking heck no!
... At this stage I think everyone else except ENISA has control over their infrastructure.
superkuh · 2h ago
These days most "cyber" crimes are commited by corporations against their customers/users (just like most theft is wage theft). These small fish/phish putting sites on exploited servers are a drop in the bucket. It is sad when some university resource gets shut down because they didn't mantain it after the grad student that set it up graduates though. We really need to teach the people that set up these things to use .html pages instead of dynamic languages and databases.
neffy · 59m ago
Sure. Corporations commit ransomware attacks all the time.
On both Ticketmaster and Facebook, and many other sites, when you perform a search on their support site it spits back your query in big letters at the top of the page. If you craft the correct search and then buy Google Ads pretending to be Ticketmaster, then you can redirect users to your call center and scam them. And because they link for your ad actually links to Ticketmaster the ad passes validation and appears to be a legit link in the eyes of Google.
Example of a crafted search term: https://help.ticketmaster.com/hc/en-us/search?utf8=%E2%9C%93...
Yuck all round. I mean ticketmaster is just a sin eater for greedy popstars but yuck ..
Yes, but also it's an impressive digital Jedi mind trick on a website.
signs a question mark with hand
"This is the support number you're looking for."
And the victim is extra primed here because so many companies make it nearly impossible to talk to a human. Yikes!
Almost seems like there's room here for a grey hat to come in and use this trick to do a good faith job trying to help the customer through their problem. Then tell them at the end that a recent anti-trust suit requires them to tell the customer about alternate independent venues in their area where they can support live music.
> Outdated Wordpress plugins and CMS systems
No surprise, having worked in edu the following scenario was very common:
1) Researcher gets a grant for a project
2) Grad student sets up a Drupal site for the project
3) Things are maintained and updated for a couple of years
4) Grant runs out, project wraps up, student graduates, everyone forgets about the server which sits unattended and unmaintained.
Still happens, but most universites have really clamped down on the ability to just stand up a web server on the network. Many are requiring everything to be on a centrally managed enterprise CMS which is a PITA but that's the fallout for too much sloppy administration.
Well that's fine; my school did the same thing and other than feeling wasteful there was no-
> All normal ports were open - ssh, http(s), you name it. It was the OG zero trust architecture.
Oh. Yeah, open ports by default is... and interesting life choice.
We could also get external ips and connectivity without much supervision. Core security needs to be prioritized to avoid this from happening.
This is sad to see, these tools are forced down so many companies in name of "compliance" while totally not worth the maintenance and cost overhead. Apparently they haven't got any better in the last decade.
I have been advised not to disclose specific vulnerabilities since the parties involved are not most friendly and transparent in handling security reports. While most of these got reported and some even got fixed, I can only disclose high-level details of the compromise path. Some just ghosted me after conveniently fixing the flaws, and one even gave me a phone call, which was somewhat scary and perhaps not worth the adrenaline.
What an unprofessional sysadmin move, borderline infuriating.
gta 5 site:europa.eu https://www.google.com/search?q=gta+5+site%3Aeuropa.eu&hl=en
Watch full site:europa.eu https://www.google.com/search?q=Watch+full+site%3Aeuropa.eu&...
Technically it might not be a "data leak", but it very well could result in one if arbitrary content (including js?) can be uploaded to these webpages?
After some people started publicly naming and shaming on LinkedIn and tagging ENISA, the issue got some exposure, but still was not fixed. It only made it more evident that several people independently reported these issues, and they became aware of peers stumbling over the issue. Still nothing happened.
ENISA is supposed to act as a CNA and expects to be notified of data breaches from EU based orgs for PSIRT / CSIRT as part of the Cybersec Resiliance Act and other laws.
Would I trust that vulnerability data that gets reported as a CVE, or a breach notification is safe with ENSIA ?
... feck no!
Would I trust that documents that europa.eu hosts on its infra are authentic? (such as security-compliance documents telling orgs how to properly implement security, but literally any public communication under one of the domains)
... hecking heck no!
... At this stage I think everyone else except ENISA has control over their infrastructure.