2025 Data Breach Investigations Report: 3rd-party Breaches Double

Article link: https://www.helpnetsecurity.com/2025/04/23/verizon-2025-data-breach-investigations-report-dbir/    

• Verizon’s 2025 DBIR shows 3rd-party breaches doubled year over year, with software supply chains emerging as a dominant point of failure. The report analyzed 22,052 incidents, including 12,195 confirmed breaches, an increase of 34% from 2024’s report.
• Ransomware remained a leading threat, involved in 44% of breaches, while human involvement in breaches held steady at 60% of breaches. Credential misuse again ranks at the top of entry methods.
• The manufacturing, professional services, and healthcare sectors were the most affected by ransomware attacks, with breach timelines shrinking due to automated attack tools. Stolen credentials often provided immediate access to partner-connected systems.
• As attack tools and methods continue to grow in complexity and sophistication, companies not mature in their IT and cybersecurity tooling and practices are increasingly vulnerable. Risk reduction now hinges on 3rd-party oversight, timely patching, and credential governance.
• Report: https://www.verizon.com/business/resources/reports/dbir/

The Future of 3rd-Party Risk Management: Seven Key Predictions for 2025

Article link: https://www.cyberdefensemagazine.com/the-future-of-third-party-risk-management-seven-key-predictions-for-2025/   

• Third-party risk management (TPRM) is poised for major shifts in 2025, with trends pointing to automation, real-time monitoring, and rising regulatory expectations. These changes aim to reduce blind spots in supply chains.
• Predictions include a growing use of AI to detect anomalies, increased scrutiny of cloud vendors, and stricter board-level accountability for 3rd-party incidents. Privacy and contractual risk are also expected to take center stage.
• As attacks through vendors increase, the need to move beyond static risk assessments becomes more apparent. Continuous validation and data-driven insights are becoming core expectations.
• The report advises revisiting current risk frameworks and modernizing vetting processes. A move toward shared intelligence and automated scoring is likely to redefine partner ecosystems evaluation.

84-Year-Old Victim of “Publishers Clearing House” Scam Helps Police Set Up Sting, Leading to Chase and Arrests

Article link: https://www.cbsnews.com/pittsburgh/news/scam-victim-sets-up-sting-police-chase-westmoreland-county/    

• An 84-year-old Pennsylvania resident was targeted by scammers claiming she had won a Publishers Clearing House prize. Suspecting fraud, she contacted police and helped arrange a sting operation.
• The scammers requested $9,500 to pay for the purported taxes necessary to claim the winnings. Police arrested two individuals during the handoff, following a short vehicle pursuit.
• This case shows how social engineering schemes still heavily rely on phone calls and mail, often targeting the elderly and perceived vulnerable. The suspects reportedly traveled from New York to carry out the fraud.
• Awareness campaigns around prize scams remain vital. Residents are reminded that legitimate awards do not require payment, and suspicious prize claims must be reported immediately.

Blue Shield of California Shared the Private Health Data of Millions with Google for Years

Article link: https://techcrunch.com/2025/04/23/blue-shield-of-california-shared-the-private-health-data-of-millions-with-google-for-years/    

• Blue Shield of California reportedly shared sensitive patient health information with Google through its use of tracking pixels embedded in digital tools. The data included names, member IDs, and IP addresses.
• The issue went undetected for years and affected an undisclosed number of users. The data was not shared for advertising but still exposed individuals without consent.
• The company has since removed the tracking code and hired external auditors to investigate the full extent. Blue Shield is in the process of contacting the affected 4.7 million individuals.
• Healthcare platforms using 3rd-party scripts are advised to audit integrations routinely to avoid potential HIPAA violations. Consent management practices must be examined in light of privacy regulations and patient data protections.

Beware of This Sneaky Google Phishing Scam

Article link: https://www.theverge.com/news/652509/google-no-reply-dkim-phishing-scam    

• Attackers are abusing a misconfigured Google service to send phishing emails that appear to originate from a “no-reply@accounts.google.com” address. The emails pass SPF, DKIM, and DMARC checks, adding false legitimacy.
• Victims receive messages appearing to be a subpoena requiring access to their Google account, containing links to credential harvesting pages. The exploit uses Google Sites, which can be abused by attackers and appear legitimate, and 3rd-party forms to deliver content.
• Researchers noted the tactic’s ability to bypass most modern spam filters and secure gateways. Its authenticity is aided by the email’s flawless authentication headers.
• Users are advised to verify email context before clicking links and to treat unexpected file-sharing prompts with caution. Security teams may consider flagging or sandboxing messages that contain embedded form links.
• EasyDMARC Technical analysis: https://easydmarc.com/blog/google-spoofed-via-dkim-replay-attack-a-technical-breakdown/

FBI Reveals “Staggering” $16.6bn Lost to Cybercrime in 2024

Article link: https://www.infosecurity-magazine.com/news/fbi-staggering-lost-cybercrime-2024/    

• The FBI’s Internet Crime Complaint Center (IC3) reported $16.6 billion in victim losses for 2024, the highest total ever recorded. Investment scams accounted for nearly $6.6 billion of that amount, the most by crime type and up from $4.5 billion in 2023.
• The most reported crimes included phishing, extortion, personal data breaches, and non-payment/non-delivery schemes. Cryptocurrency was used to facilitate the crime in nearly 150,000 complaints, accounting for $9.3 billion in losses.
• Nearly 880,000 complaints were submitted, and losses in the over-60 age group exceeded $4.8 billion. These figures paint a grim picture of evolving financial threats.
• Advisements include increased use of multi-factor authentication, cautiousness with unsolicited messages, and swift reporting of incidents. Public vigilance and education remain top preventive measures.
• Report: https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf

Chrome Extensions with 6M Installs Contain Hidden Tracking Code

Article link: https://www.bleepingcomputer.com/news/security/chrome-extensions-with-6-million-installs-have-hidden-tracking-code/  

• Researchers uncovered that 57 Chrome extensions with a combined install base of over 6 million users were embedded with obfuscated tracking scripts. These extensions harvested browsing activity without user consent.
• The code was structured to avoid detection by security tools and only activated after a delay post-installation. Cuponomia, Fire Shield Extension Protection, and Total Safety (700K, 300K, and 300K users respectively) were the affected extensions with the highest user counts.
• Data was routed to remote servers, and the extensions were removed from the Chrome Web Store after the findings were reported. The researchers noted that the extensions mimicked benign functionality to avoid scrutiny.
• Users are advised to regularly audit browser extensions and remove those with vague privacy policies or unnecessary permissions. Enterprise environments may consider managing extension usage centrally to reduce exposure.

Two Ways AI Hype Is Worsening the Cybersecurity Skills Crisis

Article link: https://www.csoonline.com/article/3958818/two-ways-ai-hype-is-worsening-the-cybersecurity-skills-crisis.html    

• The widespread enthusiasm for AI is complicating talent shortages by fueling misconceptions about workforce needs. Many executives now believe AI can reduce headcount requirements, leading to underinvestment in skilled personnel.
• The article references the growing interest in AI-related topics in O’Reilly’s Technology Trends for 2025 report to highlight the increasing expectations on cybersecurity professionals to properly deploy AI tools. The tools often need more, not fewer, specialists to operate safely.
• A disconnect is growing between technological ambition and operational reality. Misaligned hiring plans risk leaving teams unable to properly configure, monitor, and remediate AI-driven environments.
• Strategic planning must factor in long-term staffing and training, particularly around AI lifecycle management. Metrics used to assess talent needs are due for recalibration as AI use deepens.
• Report: https://www.oreilly.com/radar/technology-trends-for-2025/

Today’s LLMs Craft Exploits from Patches at Lightning Speed

Article link: https://www.theregister.com/2025/04/21/ai_models_can_generate_exploit/    

• Matthew Keely of pentesting firm ProDefense utilized OpenAI’s GPT-4 and Anthropic’s Claude Sonnet 3.7 to create an exploit for a critical vulnerability in Erlang’s SSH library (CVE-2025-32433) in only a few hours.
• The researcher reports using GPT-4 to produce code differences between the vulnerable and patched portions of the SSH server to identify the source of the vulnerability, while using Sonnet 3.7 to complete a working proof of concept (PoC) for it.
• He states his findings illustrate, in part, the 38 percent increase in published CVEs from 2023 to 2024, This increase reflects higher volume as well as greater speed and complexity of the threat landscape.
• Keely sums up an ever-growing responsibility for swifter action on remediation: “Enterprises should treat every CVE release as if exploitation could start immediately. You no longer have days or weeks to react. You need to be ready to respond the moment the details go public.”