Randall Munroe’s XKCD ‘Suspension Bridge’
via the comic humor & dry wit of Randall Munroe, creator of XKCD
The post Randall Munroe’s XKCD ‘Suspension Bridge’ appeared first on Security Boulevard.
Security Boulevard
Phishing Season 2025: The Latest Predictions Unveiled
Every year, cybercriminals sharpen their tools and refine their tactics to exploit network and security vulnerabilities. Gone are the days of clumsy emails with glaring typos and suspicious attachments. Instead, we face an era of new sophistication. No longer just stealing credentials, attackers are creating intricate digital narratives that make it difficult to distinguish friend from foe in our inboxes and DMs.
But these revelations are more than a glimpse in the cybercriminal underworld; they are a call to action. As phishing attacks continue to evolve, so should our defenses.
Phishing predictions for 2025In our ThreatLabz 2024 Phishing Report, we shared the following key predictions for the year to come:
Prediction 1: AI vs. AI will be an enduring challengeEnhanced AI capabilities increase the speed, scale, and automation of cyberattacks. Threat actors will widely adopt AI to craft more sophisticated phishing schemes and advanced techniques in 2025. As cybercriminals leverage publicly available and custom-made AI tools to orchestrate highly targeted campaigns, exploiting the trust of individuals and organizations alike, security vendors will integrate generative AI into their toolkits to enhance threat detection and response capabilities.
Prediction 2: Phishing as a service will intensify its focus on MFA exploitation and AiTMPhishing as a service removes technical barriers, allowing threat actors to launch successful phishing campaigns with limited expertise. They can take advantage of developer knowledge to launch a phishing attack and use advanced techniques to avoid detection. In the coming year, we can expect threat actors to conduct high-volume phishing campaigns aimed at bypassing enterprise multifactor authentication (MFA) through phishing kits that include AI-powered adversary-in-the-middle (AiTM) techniques, localized phishing content, and target fingerprinting.
Prediction 3: Vishing attacks spearheaded by malware groups will surge significantlyAs cybercriminals’ efforts become more sophisticated, they will increasingly turn to targeted voice and video phishing campaigns. For example, AI-driven voice cloning technology enables cybercriminals to mimic the voices of trusted individuals, creating highly realistic impersonations that can trick even the most vigilant people. Combined with the growing amount of VoIP accessibility and caller ID spoofing, attackers can mask their identities and origins, making it more difficult to trace the source of vishing calls.
Prediction 4: Attackers will home in on vulnerabilities inherent in mobile devices and platformsRemote work and bring-your-own-device (BYOD) culture have made mobile devices a permanent part of our work lives. As more and more of our lives involve mobile devices, cyberattackers are now targeting those devices with increasingly creative schemes. For example, they are shifting toward AI-driven social engineering attacks aimed at mobile users that exploit passkey and biometric authentication methods. Expect attackers to increasingly use fake push notifications that mimic legitimate apps and drive to phishing websites, exploiting mobile users’ trust in a common communication channel.
Prediction 5: Phishing will continue to erode trust in electoral outcomesIn heightened political climates and emotionally charged atmospheres, voters tend to let their guard down as they try to find new avenues to get their voices heard. Threat actors are poised to escalate phishing campaigns aimed at exploiting the political landscape. For example, an anonymous phishing attempt recently duped users by mimicking official election communications, successfully harvesting sensitive data. Looking forward, we expect similar politically motivated phishing attacks to target voter information platforms, campaign infrastructures, and public discourse channels. Organizations and electoral stakeholders should proactively bolster cybersecurity measures to detect and counter these emerging threats.
Prediction 6: Encrypted messaging platforms will become breeding grounds for phishing attacksPhishing attacks will capitalize on the trust users associate with encrypted messaging platforms. Using bots, for example, attackers will be able to automate illegal activities, from generating phishing pages to collecting sensitive user data. In these scenarios, cybercriminals will be able to impersonate users or authority figures, such as government officials, and urge others to share login credentials or download apps.
Prediction 7: Browser-in-the-browser phishing attacks will escalateBy exploiting users’ trust in open browsers and legitimate websites, browser-in-the-browser phishing attacks simulate a login window on a spoofed domain to steal user credentials. Attackers will increasingly utilize AI-driven customization in browser attacks to, for example, adapt phishing web pages to mimic browser environments more convincingly or analyze user interactions and adjust phishing content based on observed behaviors.
A quick Google search will show that all these predictions are already coming true. In February 2024, a major European retailer suffered a sophisticated phishing attack in which cybercriminals spoofed employee emails to deceive the financial team into transferring funds. As a result, the company lost approximately €15.5 million in cash.
Also in 2024, a global pharmaceutical company was hit with a vishing scheme in which employees received urgent calls from “executives” to immediately wire transfers for a fake acquisition deal, leading to a total loss of US$35 million. Using AI capabilities, the cybercriminals created a cloned voice with a believable accent and tone that made it indistinguishable from a real person.
Mitigate phishing attacks with the Zscaler Zero Trust ExchangeProtecting organizations from user compromise has become an increasingly formidable challenge, particularly as AI-driven phishing attacks gain traction. In this shifting landscape, organizations must evolve their security strategies and incorporate advanced phishing prevention controls into their broader network security defenses.
The cornerstone of an effective defense strategy is the Zscaler Zero Trust Exchange™, which takes a comprehensive approach to cybersecurity and stops conventional and AI-driven phishing attacks by:
Preventing compromise with full TLS/SSL inspection, browser isolation, and policy-driven access control to prevent access to suspicious websites.
Eliminating lateral movement by connecting users directly to apps, not the network.
Shutting down compromised users and insider threats by preventing private app exploit attempts with inline inspection and detecting the most sophisticated attackers with integrated deception.
Stopping data loss by inspecting data-in-motion and at-rest to prevent potential theft.
To learn more about how Zscaler can help you prevent the cyberattacks of tomorrow, check out our other Cybersecurity Predictions for 2025:
8 Cyber Predictions for 2025: A CSO’s Perspective
7 Ransomware Predictions for 2025: From AI Threats to New Strategies
5 Encrypted Attack Predictions for 2025
Request a custom demo on how Zscaler can help address your organization’s ransomware protection needs. Follow Zscaler ThreatLabz on X (Twitter) and our Security Research Blog to stay on top of the latest cyberthreats and security research. The Zscaler ThreatLabz threat research team continuously monitors threat intelligence from the world’s largest inline security cloud and shares its findings with the wider security community.
Forward-Looking StatementsThis blog contains forward-looking statements that are based on our management's beliefs and assumptions and on information currently available to our management. These forward-looking statements include, but are not limited to, statements concerning predictions about the state of phishing threats and attacks in calendar year 2025 and our ability to capitalize on such market opportunities; the use of Zero Trust architecture to combat phishing attacks and beliefs about the ability of AI and machine learning to reduce detection and remediation response times as well as proactively identify and stop cyberthreats. These forward-looking statements are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to a number of risks, uncertainties and assumptions, and a significant number of factors could cause actual results to differ materially from statements made in this blog, including security risks and developments unknown to Zscaler at the time of this blog and the assumptions underlying our predictions phishing in calendar year 2025. Additional risks and uncertainties are set forth in our most recent Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission (“SEC”) on December 5, 2024, which is available on our website at ir.zscaler.com and on the SEC's website at www.sec.gov. Any forward-looking statements in this release are based on the limited information currently available to Zscaler as of the date hereof, which is subject to change, and Zscaler does not undertake to update any forward-looking statements made in this blog, even if new information becomes available in the future.
The post Phishing Season 2025: The Latest Predictions Unveiled appeared first on Security Boulevard.
Attackers Use 2.8 Million Devices in Major Brute Force Attack
Threat actors are using as many as 2.8 million edge and IoT devices from around the world in a massive brute force attack that is targeting edge security systems from Palo Alto Networks, Ivanti, SonicWall, and other vendors, according to the Shadowserver Foundation.
The post Attackers Use 2.8 Million Devices in Major Brute Force Attack appeared first on Security Boulevard.
Leveraging Microsoft Text Services Framework (TSF) for Red Team Operations
The Praetorian Labs team was tasked with identifying novel and previously undocumented persistence mechanisms for use in red team engagements. Our primary focus was on persistence techniques achievable through modifications in HKCU, allowing for stealthy, user-level persistence without requiring administrative privileges. Unfortunately, while we identified an interesting persistence technique, the method we discuss in this […]
The post Leveraging Microsoft Text Services Framework (TSF) for Red Team Operations appeared first on Praetorian.
The post Leveraging Microsoft Text Services Framework (TSF) for Red Team Operations appeared first on Security Boulevard.
DEF CON 32 – Hunters And Gatherers A Deep Dive Into The World Of Bug Bounties
Authors/Presenters: Panel
Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.
The post DEF CON 32 – Hunters And Gatherers A Deep Dive Into The World Of Bug Bounties appeared first on Security Boulevard.
The Critical Role of CISOs in Managing IAM – Including Non-Human Identities
NHIs outnumber human users in enterprises, yet many IAM strategies ignore them. Learn why CISOs must own NHI governance to prevent security breaches.
The post The Critical Role of CISOs in Managing IAM – Including Non-Human Identities appeared first on Security Boulevard.
Privacy Roundup: Week 6 of Year 2025
This is a news item roundup of privacy or privacy-related news items for 2 FEB 2025 - 8 FEB 2025. Information and summaries provided here are as-is for warranty purposes.
Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.
Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.
TABLE OF CONTENTS
- Privacy Tip of the Week
- Surveillance Tech in the News
- Privacy Tools and Services
- Vulnerabilities and Malware
- Phishing and Scams
- Service Providers' Privacy Practices
- Legislation/Regulations/Lawsuits
- Data Breaches and Leaks
Make sure to clear your clipboard after copying sensitive information such as passwords.
Surveillance Tech in the NewsThis section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.
The biggest breach of US government data is under way
TechCrunch
This is included for the privacy and cybersecurity ramifications of departing from basic information security principles. DOGE's near unfettered access to sensitive PII of tens of millions of Americans raises immense questions about whether the security minimal privacy rules put in place are in fact being followed.
U.K. orders Apple to let it spy on users’ encrypted accounts
ArsTechnica
The UK government issued a secret order demanding Apple implement a backdoor to let it retrieve anything any Apple user has uploaded to the cloud. The demand seeks and implies it would circumvent even the protections introduced with Advanced Data Protection or ADP (if enabled by a user), which introduces "true" end-to-end encryption (where Apple doesn't have the keys) for most data stored in iCloud.
Note: Not explicitly US-related, but given the UK's membership in the 5-eyes and Apple being a US company, and the EU's attempt to pass Chat Control over the last few years... this is certainly a news item worth paying attention to.
Spyware maker Paragon terminates contract with Italian government: media reports
TechCrunch
This campaign was included in Week 5 of the Privacy Roundup, where Meta disrupted a campaign on WhatsApp targeting approximately 100 users with Paragon Spyware. Some of these users were journalists critical of the Italian government. Paragon terminated the contract with the Italian government on 5 FEB 2025, alleging it had "broken the terms and service and ethical framework it had agreed to..."
Additionally, among the targets there were users in Austria, Belgium, Cyprus, Czech Republic, Denmark, Germany, Greece, Latvia, Lithuania, the Netherlands, Portugal, Spain, and Sweden.
Note: While this doesn't have a US-nexus, this is something probably worth paying attention to...
Spyware maker Paragon confirms US government is a customer
TechCrunch
This came before some of the revelations in the news item immediately preceding this one, "Spyware maker Paragon terminates contract with Italian government: media reports." The key takeaway here is that Paragon Solutions has a subsidiary in the US and confirmed it licenses its technology to "the United States and its allies."
TSA’s airport facial-recog tech faces audit probe
The Register
Senators inquired whether these facial recognition systems were having any meaningful impact - reduce expenses, reducing wait times, stopping "terrorists," beyond just being hi-tech "security theater." Consequently, the DHS Inspector General launched an audit of the TSA's use of facial recognition.
Privacy Tools and ServicesPrimarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com
Privacy ToolsFirefox desktop 135.0 release notes
Mozilla
A bigger Firefox release (135) featuring progressive rollouts of optional AI chatbot access, credit card autofill, CRlite cert revocation checking, and incorporating safeguards for the history API to prevent abuse by websites.
This release also includes 11 security fixes: 7 classified as high, 4 as moderate, and 2 as low.
Open source YouTube client NewPipe releases v0.27.6 with some enhancements and bug fixes
AlternativeTo
This version fixes bugs such as HTTP 403 errors while playing videos and others which may prevent videos from loading.
Tails
Tails 6.12 has important security fixes, including preventing an attacker monitoring Tor circuits when another application in Tails is hijacked and preventing an attacker from changing Persistent Storage settings.
Using custom scriptlets to make the Web work the way you want
Brave
Brave introduces the ability for users to write and inject their own scriptlets into a web page for the Brave Browser (version 1.75).
Privacy ServicesMullvad VPN for Windows on ARM is here!
Mullvad
Mullvad VPN client is now available for Windows ARM desktops.
Vulnerabilities and MalwarePrimarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.
This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.
VulnerabilitiesExperts Flag Security, Privacy Risks in DeepSeek AI App
Krebs on Security
NowSecure conducted a privacy and security review of the DeepSeek iOS app, finding numerous concerns:
- The app collects significant information about the user's device, including the actual device name. They even comment that this is on "the edge of advanced device fingerprinting."
- The app disables App Transport Security (ATS), an iOS platform level protection preventing sensitive data from being sent over unencrypted channels... so it sends device information in the clear, available for anyone listening to read and modify.
- It could be sharing/exposing information of users... just in Week 5 of the Privacy Roundup, DeepSeek had an internal database exposed to the internet.
Stable Channel Update for Desktop
Google Chrome Releases
Chrome version 133 includes 12 security fixes, including a high severity use-after-free vulnerability in the V8 JavaScript engine (CVE-2025-0445).
Chromium forks should incorporate these security fixes as soon as possible. Users should check with the maintainer...
The post Privacy Roundup: Week 6 of Year 2025 appeared first on Security Boulevard.
Cloud-native certificate lifecycle management: exploring the benefits & capabilities
Cloud-native certificate lifecycle management (CLM) revolutionizes digital certificate handling by automating issuance, renewal, and revocation. Unlike traditional on-premise methods, cloud-native platforms enhance security, scalability, and efficiency while reducing costs. They leverage automation, containerization, and APIs for seamless integration and real-time monitoring. With advanced cryptographic readiness and reduced downtime, cloud-native CLM ensures future-proof PKI management. Sectigo Certificate Manager (SCM) exemplifies these benefits, delivering flexible, CA-agnostic solutions for enterprises.
The post Cloud-native certificate lifecycle management: exploring the benefits & capabilities appeared first on Security Boulevard.
Could you Spot a Digital Twin at Work? Get Ready for Hyper-Personalized Attacks
The world is worried about deepfakes. Research conducted in the U.S. and Australia finds that nearly three-quarters of respondents feel negatively about them, associating the AI-generated phenomenon with fraud and misinformation. But in the workplace, we’re more likely to let our guard down. That’s bad news for businesses as the prospect of LLM-trained malicious digital..
The post Could you Spot a Digital Twin at Work? Get Ready for Hyper-Personalized Attacks appeared first on Security Boulevard.
API Gateway Security Needs a Stronger Zero-Trust Strategy
Let's discuss the major things anyone should look into before choosing an API gateway in today's sprawling, AI-driven threat landscape.
The post API Gateway Security Needs a Stronger Zero-Trust Strategy appeared first on Security Boulevard.
Hey, UK, Get Off of My Cloud
The United Kingdom has made a bold demand to Apple, purporting to require the company to create a backdoor to access encrypted cloud backups of all users worldwide.
The post Hey, UK, Get Off of My Cloud appeared first on Security Boulevard.
White Box Testing in 2025: A Complete Guide to Techniques, Tools, and Best Practices
Artificial Intelligence (AI) is transforming industries by automating tasks, improving decision-making, and enhancing cybersecurity. However, AI models are increasingly being targeted by adversarial attacks, which can manipulate or compromise their integrity. The protection of sensitive data along with trust maintenance and accurate decision-making demands the establishment of AI security. This blog investigates AI security while […]
The post White Box Testing in 2025: A Complete Guide to Techniques, Tools, and Best Practices first appeared on StrongBox IT.
The post White Box Testing in 2025: A Complete Guide to Techniques, Tools, and Best Practices appeared first on Security Boulevard.
Careers in Cybersecurity: Myths and Realities with Kathleen Smith
In this episode we welcome Kathleen Smith, CMO of ClearedJobs.net, to discuss the current state of the cybersecurity job market. Kathleen shares her extensive experience in the field, recounting her tenure in various cybersecurity events and her contributions to job market research and recruiting. She discusses challenges such as distinguishing between genuine workforce shortages and […]
The post Careers in Cybersecurity: Myths and Realities with Kathleen Smith appeared first on Shared Security Podcast.
The post Careers in Cybersecurity: Myths and Realities with Kathleen Smith appeared first on Security Boulevard.
Building an Impenetrable Framework for Data Security
Why does the Secure Framework Matter? The focus of this operation isn’t just about the immediate prevention of potential threats but ensuring we have a solid line of defense that could weather any storm thrown our way. It’s all about staying ahead of the curve and keeping your organization protected from both known and unknown […]
The post Building an Impenetrable Framework for Data Security appeared first on Entro.
The post Building an Impenetrable Framework for Data Security appeared first on Security Boulevard.
Ensuring Satisfaction with Seamless Secrets Sprawl Management
Are You Properly Managing Your Non-Human Identities? Modern organizations are continually interacting with an ever-growing number of machines, applications, and devices, often through cloud-based systems. These interactions, when left unmonitored, can lead to what is known as secrets sprawl. Proper secrets sprawl management can dramatically improve the efficiency of operations and ensure customer satisfaction. But […]
The post Ensuring Satisfaction with Seamless Secrets Sprawl Management appeared first on Entro.
The post Ensuring Satisfaction with Seamless Secrets Sprawl Management appeared first on Security Boulevard.
Stay Relaxed with Top-Notch API Security
Are Businesses Truly Aware of the Importance of Non-Human Identities in Cybersecurity? There’s one critical aspect that’s frequently overlooked: Non-Human Identities (NHIs). These machine identities, composed of Secrets such as tokens, keys, and encrypted passwords, play a pivotal role in maintaining top-notch API security in organizations, keeping their valuable data safe and their operations running […]
The post Stay Relaxed with Top-Notch API Security appeared first on Entro.
The post Stay Relaxed with Top-Notch API Security appeared first on Security Boulevard.
DEF CON 32 – Exploiting Bluetooth From Your Car To The Bank Account
Authors/Presenters: Vladyslav Zubkov, Martin Str
Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.
The post DEF CON 32 – Exploiting Bluetooth From Your Car To The Bank Account appeared first on Security Boulevard.
Justifying the Investment in Cloud Compliance
Why is Cloud Compliance Investment a Necessity? I often get asked, “Why is cloud compliance investment a necessity?” The answer is simple; it’s all about securing non-human identities (NHIs) and managing secrets. By understanding the importance of NHIs and secrets management, companies can efficiently oversee the end-to-end protection of their data, thereby justifying their cloud […]
The post Justifying the Investment in Cloud Compliance appeared first on Entro.
The post Justifying the Investment in Cloud Compliance appeared first on Security Boulevard.
Getting Better at Detecting Cyber Threats
A Question of Preparedness: How Prepared Are You In Detecting Cyber Threats? How confident are you in your organization’s ability in detecting cyber threats? As more and more industries venture on full-scale digitization, the risks associated with cybersecurity also exponentially increase. For this reason, there is a pressing need for a comprehensive security system that […]
The post Getting Better at Detecting Cyber Threats appeared first on Entro.
The post Getting Better at Detecting Cyber Threats appeared first on Security Boulevard.
Exciting Advances in Privileged Access Management
Why should we be excited about Privileged Access Management? Have you ever pondered the gravity of the implications of not managing Non-Human Identities (NHIs) and their Secrets in your company’s cybersecurity strategy? The rapid digitization of industries such as healthcare, financial services, travel, DevOps, and SOC teams makes securing machine identities an area of utmost […]
The post Exciting Advances in Privileged Access Management appeared first on Entro.
The post Exciting Advances in Privileged Access Management appeared first on Security Boulevard.
The Home of the Security Bloggers Network