Infosec In Brief Email security outfit EasyDMARC recently spotted a phishing campaign that successfully spoofed Google with a sophisticated attack.
As explained in a technical breakdown, the attackers sent emails that appeared to come from the legit address no-reply@accounts.google.com and claimed the recipient must comply with a subpoena from an unspecified law enforcement agency that was granted the right to access material stored in their Google account.
The phishing mail linked to a URL at Google Sites, a service that allows the creation of simple websites that have google.com addresses. Users who were not logged in were asked to do so with their Google credentials. Those who did so were then directed to a fake page “Legal investigations support” page.
That’s phishing 101.
The unusual part of this attack is that the phishing emails were unusually well disguised and satisfied the email authentication methods DMARC (Domain-based Message Authentication, Reporting, and Conformance) and DKIM (DomainKeys Identified Mail).
EasyDMARC believes the attackers accessed an email from no-reply@accounts.google.com that include a valid DKIM signature, meaning it was signed as Google as a legitimate message. The attackers saved the email without altering any of the signed content, then re-sent it using Microsoft’s Outlook.com free email service which relayed it through hosting outfit Namecheap’s SMTP and private email services. Across all three of those hops, the DKIM info remained intact.
The phishing mails therefore appeared legit and landed in targets’ inboxes.
EasyDMARC’s team replicated the attack. The outfit warned netizens that subpoenas aren’t the sort of thing that arrive from no-reply@accounts.google.com.
- Simon Sharwood
Pentagon tech innovators reportedly bail after DOGE action
Citing anonymous sources inside the federal government, Politico last week reported that most workers at the US Defense Department's Defense Digital Service (DDS), a small but influential team designed to bring startup-style innovation into the Pentagon, plan to resign under pressure from Elon Musk's Department of Government Efficiency (DOGE).
Founded in 2015, the DDS worked on innovations including drone defense systems, the development of the DoD's large language model operations framework, and several cybersecurity initiatives.
According to Politico's sources, the mass resignation - which included DDS director Jennifer Hay – will mean the group closes by the end of April. One departing staffer said that without DDS, some projects, including counter-drone programs, will likely be discontinued.
Team members told Politico they had hoped to assist DOGE's efforts to streamline Pentagon operations but found themselves sidelined. The situation may not be unique: The General Services Administration's 18F, a tech modernization group, has reportedly been disbanded by DOGE.
- Old Fortinet flaws under attack with new method its patch didn't prevent
- Signalgate solved? Report claims journalist's phone number accidentally saved under name of Trump official
- Oracle Health reportedly warns of info leak from legacy server
- Mobsters now overlap with cybercrime gangs and use AI for evil, Europol warns
Gig worker accounts for sale
The gig worker who shows up to deliver you dinner or drive you to the other side of town may not be who they say they are.
The Tech Transparency Project (TTP) says it found 80 Facebook groups with a combined 800,000+ members that trade gig worker accounts on platforms including Uber, Lyft, DoorDash, Deliveroo, and other rideshare and delivery apps. Some of the groups openly advertise accounts "for rent."
TTP reports that sellers in these groups offer access to active accounts already approved by the apps, meaning buyers don’t have to pass safety requirements like identity verification, vehicle inspections, or proof of insurance. In other words, someone who wouldn't pass a basic screening can still ferry passengers or food under a stranger's name.
"The activity endangers passenger and customer safety and may violate US law," TTP noted.
Beyond that, it's definitely a violation of company policies for Uber, Lyft and DoorDash - and a violation of Facebook's policies, too.
"Meta has policies against fraud and the sale of 'fake or forged documents,'" TTP pointed out. "Meta also bars Facebook groups from promoting 'illegal activities, products, or services.'"
Since TTP conducted its investigation in January and February and reported the matter to Meta, only nine of the 80 Facebook groups it identified have been removed, while others remain active and have even seen member numbers grow.
Additionally, TTP argued the move is evidence that Meta's decision to ditch human fact-checking moderators and shift toward more automated enforcement has failed.
"Meta's recent announcement that it would scale back policy enforcement on its platforms made clear that its automated systems would continue to root out illegal activity—including fraud," TTP said, adding that "Meta is failing to meet its new, lowered bar for policy enforcement by hosting a thriving trade in fraudulent Uber driver accounts."
Meta directed The Register to its January statement on its moderation policy changes to point out what the company asserts is its unchanged commitment to “tackling illegal and high-severity violations, like terrorism, child sexual exploitation, drugs, fraud and scams."
The social media giant also told us that the January changes had no impact on its actions against scammers.
Nothing critical, but plenty to patch
Last week appears to have been a rare one without news of critical-rated flaws to fix, but digital workspace developer Omnissa last week released a pair of security advisories that still warrant attention as they can allow unauthorized access to sensitive systems and info. First up, CVE-2025-25230 (CVSS 7.8) is a local privilege escalation vulnerability in the biz's Horizon client for Windows. The second, CVE-2025-25234, with a CVSS score of 7.1, is a cross-origin resource sharing (CORS) bypass flaw in Omnissa's Unified Access Gateway (UAG).
Other candidates for your patching to-do list include:
- CVSS 7.5 - CVE-2025-31200: A memory corruption vulnerability in multiple Apple operating systems could allow code execution if a maliciously crafted media file is processed;
- CVSS 6.5 - CVE-2021-20035: An OS command injection vulnerability in the SonicWALL SMA100-series management interface could allow a remote authenticated attacker to execute commands as a low-privilege user, potentially leading to a denial-of-service (DoS) condition;
- CVSS 6.8 - CVE-2025-31201: A flaw in multiple Apple OSes could allow an attacker with arbitrary read and write access to bypass Pointer Authentication.
Node.js used to distribute malware
Microsoft has warned that Node.js is increasingly being used to distribute malware.
The software giant last week warned it's tracked malware campaigns that use scripts and executables created with Node.js to deploy malware capable of stealing information, exfiltrating data, and bypassing detection techniques used by seasoned defenders.
The attacks started in October 2024 and some remain active.
The most recent attacks involves a malvertising campaign targeting cryptocurrency traders. Attackers use ads to lure the unwary to bogus websites, then tricked targets into downloading a malicious installer disguised as legitimate trading software.
Same con, new wrapper, one noteworthy evolution: Attackers are now using inline JavaScript execution via Node.js, allowing scripts to run directly from the command line, rather than from disk. This technique helps obfuscate operations and evade traditional security tooling.
US disinformation-fighting agency closed
US Secretary of State Marco Rubio has shuttered the State Department's Counter Foreign Information Manipulation and Interference group (R/FIMI), formerly known as the Global Engagement Center. He accused it of crossing the line from fighting foreign propaganda to censoring Americans. The move, critics argue, is a gift to Moscow, Tehran, and Pyongyang.
Rubio claimed that R/FIMI spent more than $50 million per year to "actively silence and censor the voices of Americans they were supposed to be serving," calling its actions "antithetical to the very principles we should be upholding."
"Over the last decade though, individuals in America have been slandered, fired, charged, and even jailed for simply voicing their opinions," Rubio said. "That is not an America our Founding Fathers would recognize."
Security incident slows Maine Turnpike billing
Drivers in the US state of Maine who travel the Turnpike from Portsmouth to Augusta are in for a bit of bill shock after a precautionary shutdown of the E-ZPass tolling system last month paused charges to users for nearly a month.
Maine authorities last week admitted the E-ZPass payment system was taken offline for 12 hours on March 19 to prevent a potential cybersecurity breach detected by the system’s vendor TransCore. Subsequent recovery and verification processes meant toll charges weren’t applied to accounts for several weeks.
Biling has since resumed and drivers using E-ZPass are now being charged for weeks’ worth of Turnpike trips. E-ZPass requires customers to maintain a positive balance on their accounts, usually by charging their credit cards. Turnpike drivers might want to check their accounts are topped up before all those delayed transactions start appearing. ®
