Flashpoint uncovers how North Korean hackers used fake identities to secure remote IT jobs in the US, siphoning…

Flashpoint uncovers how North Korean hackers used fake identities to secure remote IT jobs in the US, siphoning $88 million. Find out how they used fake identities and technology to commit the fraud.

North Korean hackers used stolen identities to get remote IT jobs at US companies and non-profits, raking in at least $88 million over six years. The US Department of Justice indicted fourteen North Korean nationals on December 12, 2024, for their involvement. Security firm Flashpoint conducted a unique investigation, analysing data from the hackers’ own infected computers to uncover their tactics and exclusive details on this scheme.

Flashpoint’s investigation revealed the use of fake companies named in the indictment, including “Baby Box Info,” “Helix US,” and “Cubix Tech US,” to create believable resumes and provide fraudulent references. Researchers tracked infected computers, notably one in Lahore, Pakistan, which held login credentials for email addresses associated with these fake entities. The username “jsilver617,” potentially tied to a fake US identity “J.S.,” was found on one of these machines, which was used to apply for numerous tech jobs in 2023.

A critical piece of evidence was the extensive use of Google Translate between English and Korean, found in the browser history of an infected computer, which hinted at the hackers’ origins. Translated messages exposed their methods for creating fake job references, even including fabricated contact information for individuals at the sham companies. One translated message, posing as an HR manager from “Cubix,” provided false employment verification details.

Further communications hinted at a hierarchical structure within the operation and discussed “tradecraft,” such as strategies to avoid using webcams during online meetings. Frustration with a remote worker’s poor performance was also evident in a translated message stating, “It’s proof that you’re a failure.”

The investigation also uncovered discussions about shipping electronic devices, likely laptops and phones for their remote work setups. This aligns with Hackread.com’s recent reporting of Laptop Farms where US-based collaborators received devices for remote access by North Korean workers, with prominent North Korean group Nickel Tapestry identified as the key perpetrator.

In this case, one translated message inquired about the delivery of laptops to Nigeria. Browser history revealed tracking numbers for international courier services, including a shipment possibly originating from Dubai.

Translation provided by Flashpoint:

    We need to make the Abdul's voices heard for a week. After that we can turn off the camera. They are very sensitive to voices. They might not ask Abdul to turn on the video if they don't think there is a difference in thg voices.&op=translate
    
    ---
    
    and you know that was same some that we have already summitted your profile, at that time they told that your rate is high and gave offer to another person , but that offer is backout and now they have backfill of it. please let me know if we can submit your profile at $65/hr on C2C/1099. this time prime vendor is different, but client is same.&op=translate
    
    ---
    
    I didn't complain when you didn't get the assignment for two months. But this is a different matter. It's proof that you're a failure and if you're like this, you won't be able to handle this job well.&op=translate

The investigation also revealed the use of AnyDesk remote desktop software on the infected machines, suggesting the North Korean operatives accessed the US company systems remotely. This detail highlights the direct access they gained to sensitive company networks.

“Ever since its discovery, Fortune 500 companies, technology and cryptocurrency industries have been reporting even more secret DPRK agents siphoning funds, intellectual property, and information,” Flashpoint’s investigation, shared with Hackread.com, revealed.

Flashpoint’s inside look at this operation, achieved by analyzing compromised credentials and infostealer logs, provides a detailed understanding of North Korea’s sophisticated and profitable cyber fraud targeting US organizations.

North Korean Hackers Stole $88M by Posing as US Tech Workers

Weak passwords continue to be a major vulnerability for FTP servers. Specops’ latest report highlights the most frequent…

Weak passwords continue to be a major vulnerability for FTP servers. Specops’ latest report highlights the most frequent passwords used in attacks and offers advice on better password policies.

Cybersecurity researchers at Specops have recently analysed the passwords being used by cyber attackers to try and break into FTP (File Transfer Protocol) servers over the past month. Their research, shared with Hackread.com, reveals that attackers continue to heavily rely on easily guessable passwords, despite the availability of more sophisticated hacking techniques, highlighting the need for stronger password policies to protect networks.

The Specops team researched live attacks happening against real networks and identified the most frequent passwords used in these brute-force attempts, which refer to repeatedly trying different combinations of usernames/passwords to find the correct one. This research was done around the same time that Specops added over 133 million compromised passwords to their “Breached Password Protection” service.

The study examined attacks targeting FTP’s TCP port 21, a common entry point due to its often weak security. The top three most frequently used passwords were “admin” (used 907 times), “root” (896 times), and “123456” (854 times). Other frequently tried passwords included simple ones like “password,” “admin123,” and keyboard patterns like “qwerty.” This highlights a persistent failure by many users to change default credentials or choose strong passwords.

A significant finding was the simplicity of the passwords: 54% of the attempted passwords contained only numbers or lowercase letters, while a mere 1.6% used a combination of uppercase, lowercase, numbers, and special characters.

Source: Specops

This shows that a password policy requiring at least one of each of these character types would block almost 99% of the passwords hackers are currently using against FTP servers.

Finally, researchers examined the length of the passwords used in attacks and identified that a majority, 87.4%, were between 6 and 10 characters long. This supports the latest recommendations from NIST (National Institute of Standards and Technology), which suggest prioritizing longer passwords or passphrases (over 15 characters) with some complexity, as these are much harder to crack through brute force.

They also contrasted these FTP attacks with those targeting RDP (Remote Desktop Protocol) port 3389, noting that RDP’s encryption and security features make simple password guessing less effective. FTP, often transmitting credentials unencrypted, hence remains a prime target for attackers aiming to steal files or plant malicious software.

Marcus White from the Specops team explained that knowing the passwords attackers are using can help organizations create better password rules and defend against these brute-force attacks.

In conclusion, the Specops team recommends that organizations should enforce policies that block weak password choices and encourage the use of passphrases longer than 15 characters with some complexity.

‘Admin’ and ‘123456’ Still Among Most Used Passwords in FTP Attacks

Did Siri record you? Apple is paying $95 million over Siri snooping allegations. Find out if you’re eligible…

Did Siri record you? Apple is paying $95 million over Siri snooping allegations. Find out if you’re eligible and how to claim your share by July 2, 2025.

Apple has settled a class-action lawsuit (PDF) that accused the tech giant of using its voice assistant, Siri, to record users’ private conversations without their permission. Reportedly, Apple has agreed to pay out $95 million to settle this lawsuit, so, if you owned certain Apple devices between September 2014 and December 2024 in the US, you could be eligible for a pay-out.

****Who Can Claim?****

The lawsuit initially filed in 2019 and led by consumers like Fumiko Lopez, claimed that Siri sometimes activated unintentionally and recorded private discussions. These recordings were then reportedly shared with outside companies, leading to targeted advertising within Apple’s search results and Safari web browser.

While Apple denies any wrongdoing or illegal activity, they decided to settle the case earlier this year. Now, a notice approved by a US District Court in California is being sent out to people who might be eligible for a portion of this settlement.

This means, that if you owned a Siri-enabled Apple device in the United States between September 17, 2014, and December 31, 2024, and experienced Siri activating and recording private conversations unintentionally, you might be able to file a claim. Eligible devices include iPhones, iPads, Apple Watches, MacBooks, iMacs, HomePods, iPod Touches, and Apple TVs.

****Filing Your Claim****

Some eligible users have already received emails titled “Lopez Voice Assistant Class Action Settlement” with a claim ID and confirmation code. These individuals can directly submit a claim on the settlement website using this information by July 2, 2025.

> _“Apple will pay $95,000,000 to create a non-reversionary common fund that will cover all approved settlement claims, notice and settlement administration costs (including any taxes owed by the Settlement Fund), any Court-approved service awards, and any Court-approved attorneys’ fees and expenses. The Gross Settlement Amount reverts to Apple only if the Settlement Agreement is voided, canceled, or terminated.”_
> 
> _“The Net Settlement Amount will be distributed on a pro rata basis according to the number of Siri devices that experienced an unintended Siri activation. If Settlement Class Members do not claim their payments within 120 days after issuance, the remaining funds will be used to cover any unexpected settlement administration costs and then distributed to one or more cy pres recipients, as agreed upon by the parties and approved by the Court.”_
> 
> US Dist. Ct., N.D. Cal., Oakland Div.

A snippet from the court documents

If you qualify but didn’t receive a notification, you can still file a “New Claim” on the same website, providing details and proof of purchase or the device’s serial number and model. When submitting, you will choose your preferred payment method, such as physical check, e-check, or direct deposit. The final approval hearing for the settlement is on August 1, 2025, and payments will be processed after that, potentially later this year.

It is worth noting that filing a claim means you cannot sue Apple separately for this issue. However, there is an option to opt out of the settlement if someone wishes to pursue individual legal action against Apple.

Interestingly, Apple is currently facing other lawsuits related to Siri, specifically regarding alleged false advertising of its Apple Intelligence features and the delayed launch of an upgraded version of Siri.

Moreover, the amount each person receives will depend on how many valid claims are submitted. However, the settlement website indicates that the payout is capped at $20 per Siri-enabled device, with a maximum of five devices per claimant, totalling up to $100.

Apple to Pay $95 Million in Siri Snooping Lawsuit – Here’s How to Apply

Cary, North Carolina, 14th May 2025, CyberNewsWire

**Cary, North Carolina, May 14th, 2025, CyberNewsWire**

INE Security, a global leader in hands-on cybersecurity training and certifications, today highlighted how ongoing real-world practice with the latest CVEs (Common Vulnerabilities and Exposures) is essential for transforming security teams from reactive to proactive defenders.

With over 26,000 new CVEs documented in the past year, security teams are drowning in vulnerability alerts while facing exploit windows that have compressed to hours in many cases.

> “Reading CVE bulletins is not the same as knowing how to stop the attack,” said Dara Warn, CEO at INE Security. “Our Skill Dive platform gives practitioners hands-on experience with real vulnerabilities in contained environments, cutting incident response times when these same issues hit production. This practical approach delivers far more value than traditional security certifications alone.”

Skill Dive is INE Security’s risk-free technical environment featuring exclusive labs not found in learning paths and courses. Skill Dive’s Vulnerabilities Lab Collection offers a continuously updated library of labs specifically designed to provide hands-on practice with actual CVEs, allowing security practitioners, including those preparing for pentester certifications, to experience both the exploitation and mitigation of current real-world threats in a safe environment.

**CVEs: From Bulletin to Defense**

CVEs are the standard identifiers for known vulnerabilities, but many security teams struggle to implement effective mitigations at scale, even those with Sec+ and other entry-level certifications.

Common challenges include:

*   Risk prioritization across hundreds of monthly CVEs
*   Testing mitigations without impacting production
*   Adapting defenses to diverse system configurations
*   Building response muscle memory that works under pressure
*   Getting ahead of the threat curve instead of constantly reacting

**Practice Today’s Threats. Prevent Tomorrow’s Breaches.**

INE Security’s Skill Dive Vulnerabilities Lab Collection delivers:

*   **Exclusive vulnerability labs** not available in standard security training
*   **Monthly CVE updates** focusing on high-impact vulnerabilities
*   **Isolated practice environment** for both offensive and defensive techniques
*   **Complete severity coverage** from critical zero-days to common misconfigurations
*   **Practical exploitation and defense experience** that transfers directly to production incidents

> “When a critical CVE drops, you don’t have time to theorize,” said Tracy Wallace, Director of Content at INE Security. “Teams with hands-on practice respond significantly faster because they’ve seen similar attack patterns before. Log4Shell (CVE-2021-44228) was a perfect example – practitioners who had experience with JNDI injection attacks were able to implement effective mitigations within hours, while others took days or even weeks to fully remediate.”

**Real Benefits for Security Teams**

Skill Dive delivers immediate advantages for practitioners:

*   Develop attack pattern recognition that speeds incident response
*   Understand attack chains beyond what bulletins describe
*   Practice team coordination for high-pressure security events
*   Identify defensive gaps before attackers find them
*   Build skills that directly translate to career advancement

SecOps teams, security analysts, and IT admins get exactly what certification courses miss: hands-on practice with real-world vulnerabilities.

> “Security professionals who regularly drill on current vulnerabilities become exponentially more valuable to their organizations,” said Wallace. “The best defenders understand both the attack and defense sides of the equation.”

**High-Impact CVEs in the Skill Dive Collection**

The platform features hands-on labs for the most actively exploited vulnerabilities in enterprise environments, including:

*   **OpenMetadata Authentication Bypass (CVE-2024-28255)**: Exploit the target machine running OpenMetadata by bypassing the authentication and gaining remote code execution (RCE)
*   **Calibre RCE (CVE-2024-6782)**: Exploit the remote code execution vulnerability in Calibre, leading to unauthorized system access
*   **Log4Shell (CVE-2021-44228)**: Practice identifying and remediating this critical remote code execution vulnerability that continues to plague Java applications across multiple sectors
*   **Spring4Shell (CVE-2022-22965)**: Gain hands-on experience with this widely exploited RCE vulnerability affecting Spring Framework applications

> “We continuously track which vulnerabilities are most actively exploited,” said Wallace. “Our collection prioritizes CVEs with the highest real-world impact, not just theoretical severity ratings.”

**Proactive Security Through Deliberate Practice**

The Skill Dive approach includes:

*   Monthly updates aligned with emerging threat patterns
*   Realistic environments mirroring production systems
*   Practical documentation focused on effective mitigations
*   Continuous evolution based on real-world attack trends

Recent lab additions include other top-exploited vulnerabilities such as Cacti Import Packages RCE (CVE-2024-25641), Gradio Path Traversal (CVE-2024-1561), Calibre Arbitrary File Read (CVE-2024-6781), Graylog Information Exposure (CVE-2024-24824), and Navidrome SQL Injection (CVE-2024-47062). 

> “Security teams that regularly practice with new vulnerabilities stop more breaches, period,” said Wallace. “Practice transforms defense from constant firefighting into strategic advantage.”

**Availability**

Individual subscriptions to Skill Dive are available now. Enterprise packages for team training are also available.

For more information, users can visit ine.com/cyber-ranges

**About INE Security**

INE Security is the premier provider of online networking and cybersecurity training and cybersecurity certifications. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity. The company is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

INE Security Alert: Continuous CVE Practice Closes Critical Gap Between Vulnerability Alerts and Effective Defense

Scammers impersonate government agencies on WhatsApp to target job seekers with fake offers, phishing sites, and identity theft…

Scammers impersonate government agencies on WhatsApp to target job seekers with fake offers, phishing sites, and identity theft schemes, Netcraft warns.

Cybersecurity firm Netcraft has issued a warning about a significant spike in sophisticated recruitment scams targeting job seekers. Their recent analysis, shared exclusively with Hackread.com, highlights three distinct threat actors employing varied methods to defraud individuals, emphasizing the growing danger in the online job market.

****Tech Employer Impersonation:****

This group uses advance fee fraud (AFF), posing as tech companies like Celadonsoft and SoftServ. Victims are lured via WhatsApp with high-paying jobs (often in USDT) and directed to fake websites, which credit them a small sum to build trust, and then prompt them to undertake tasks like app optimization.

To earn high remuneration, users must deposit their funds, ranging from small amounts to thousands of USDT. Victims continue to deposit money to complete more tasks, believing they are accumulating earnings. However, when they withdraw, the funds never materialize, leaving them with huge financial losses and having performed work that likely benefits the scammers. Netcraft found at least nine identical fake sites used in 2024.

Source: Netcraft

****Logistics Agency Impersonation****

Similar to the first group, this actor impersonates a logistics recruiter, Picked Well, employing AFF tactics. While the overall modus operandi mirrors the first threat actor – luring victims with job offers and then requiring upfront payments for tasks to supposedly unlock high earnings – the key differentiator is the geo-based targeting.

These scams are localized with Netcraft detecting a total of 36 fake websites specifically targeting victims in 18 different countries- the US being a major focus. The US experienced 95 times more traffic to these fake sites than the UK and 170 times more than Australia. This suggests a specific focus on US job seekers with 63,000 targeted already.

According to Netcraft’s blog post, in both scams, initial contact often occurs through messaging platforms like WhatsApp and Telegram, with recruiters using two different fake personas to build trust and execute financial extraction.

****Government Impersonation:****

This threat actor impersonates the Government of Singapore, aiming for **identity theft.** Fake Government of Singapore Telegram groups lure victims into joining them. Within these groups, messages are posted, often with slight errors in spelling like “Singapure”, claiming to be from official departments.

Source: Netcraft

Clicking on links leads to phishing websites offering fake job vacancies with attractive salaries. Users are required to sign up, provide their identity card and phone number, and enter a verification code. This gives the attacker full control over the victim’s account. Netcraft warns that compromised accounts are likely used to impersonate victims, spread scam messages, or engage in extortion.

These findings align with a concerning trend reported by the FTC, which saw over $500 million lost to job scams in the US in 2023, a significant increase from$200 million in 2022.

Therefore, job seekers should be vigilant when receiving correspondence from recruiters or searching for jobs online. Look for telltale characteristics, such as a lack of Facetime with recruiters, communication via social media, typos and low-quality content. Netcraft notes that promises that seem “too good to be true,” should serve as a red flag for such fraudulent schemes.

Job Seekers Targeted as Scammers Pose as Government Agencies on WhatsApp

CISA adds TeleMessage flaw to KEV list, urges agencies to act within 3 weeks after a breach exposed…

CISA adds TeleMessage flaw to KEV list, urges agencies to act within 3 weeks after a breach exposed unencrypted chats. The Israeli App was used by Trump officials!

A serious flaw in TM SGNL, a messaging app by US-Israeli firm TeleMessage used by former Trump administration officials, has now landed on CISA’s Known Exploited Vulnerabilities (KEV) list. The move follows reports of a breach that exposed sensitive communications and backend data.

The Cybersecurity and Infrastructure Security Agency (**CISA**) added CVE-2025-47729 to its KEV catalogue this week. The listing confirms that the vulnerability has been exploited in the wild and sets a three-week deadline for federal agencies to address the issue.

****Breach and Research Findings****

On May 5, Hackread.com **reported** that TeleMessage had halted operations of TM SGNL after attackers gained access to backend systems and user message data. The breach cast doubt on the platform’s core security claims.

Security researcher Micah Lee analyzed the app’s source code and found a serious gap in its encryption model. While TeleMessage stated that TM SGNL used **end-to-end encryption**, Lee’s findings suggest otherwise. Communication between the app and its final storage point lacked full encryption, which opened the door for attackers to intercept plaintext chat logs.

This finding raised some serious security and privacy concerns given the app’s past use by high-level figures, including former national security advisor Mike Waltz.

Follow us on TikTok

****Why CISA Acted****

CISA’s decision to add the flaw to its KEV list sends a clear message to government agencies: the software isn’t safe. It puts pressure on them to patch or drop it quickly.

**Thomas Richards**, Infrastructure Security Practice Director at Black Duck, said the decision likely stemmed from the software’s use in government:

“This vulnerability was probably added to the KEV list because of who was using it. With sensitive government conversations involved, the breach takes on another level of risk. CISA’s move is about making sure agencies know this software shouldn’t be trusted.”

**Casey Ellis**, founder of Bugcrowd, added that the inclusion confirms the severity:

“CISA is making sure federal agencies got the message. The fact that the logs weren’t properly encrypted changes the risk equation. And while the CVSS 1.9 score may seem low, it still reflects the danger of compromising the device storing those logs.”

****What’s Next****

Federal agencies are now required to act within three weeks. Organizations outside the government are also advised to review the KEV catalogue and consider prioritizing patches or alternative solutions.

The breach and following KEV listing have pushed TeleMessage into a larger discussion about transparency, encryption standards, and the security infrastructure of platforms used in political and governmental communication.

For more information, the CVE entry is available via **NVD**, and the KEV catalogue can be accessed on the **CISA website**.

CISA Adds TeleMessage Vulnerability to KEV List Following Breach

Zoom fixes multiple security bugs in Workplace Apps, including a high-risk flaw. Users are urged to update to…

Zoom fixes multiple security bugs in Workplace Apps, including a high-risk flaw. Users are urged to update to the latest version released on May 13, 2025.

Zoom pushed out a batch of security fixes today, addressing multiple vulnerabilities across its Workplace Apps. One of them has been marked high severity, while the others are rated medium. The updates affect both general app versions and Windows-specific builds.

For anyone using Zoom in business or education settings, especially on Windows systems, these updates are worth attention.

****What Was Fixed****

The most significant of the bunch is a time-of-check to time-of-use (TOCTOU) issue listed under CVE-2025-30663. This type of bug occurs when there’s a delay between a system checking if an action is safe and performing it. During that short window, attackers might interfere. This bug affects Zoom Workplace Apps broadly and was rated high severity.

The rest of the vulnerabilities carry medium severity ratings. Here’s a quick breakdown:

****Improper Neutralization of Special Elements****

*   Affects: All Workplace Apps
*   CVEs: CVE-2025-46786, CVE-2025-46787, CVE-2025-30664
*   Issue: These bugs involve the mishandling of user inputs, which could allow scripts or commands to be executed in unexpected ways.

****Buffer Over-read****

*   Affects: Windows versions
*   CVE: CVE-2025-46785
*   Issue: This bug could lead to the application reading more data than it should, risking exposure of sensitive information.

****NULL Pointer Dereference****

*   Affects: General and Windows-specific builds
*   CVEs: CVE-2025-30665, CVE-2025-30666, CVE-2025-30667, CVE-2025-30668
*   Issue: These can cause the app to crash by trying to access memory that hasn’t been set, which could be exploited in some edge cases.

All seven bulletins were published today on Zoom’s official security bulletin page, with updates issued at the same time.

In a comment to Hackread.com, Jim Routh, Chief Trust Officer at Saviynt stated, “Cyber professionals are considering the need for deepfake detection and prevention impacting virtual meetings today. It turns out that the software defects/vulnerabilities announced recently in Zoom Workplace are far more critical at this time.”

”DoS and remote code execution vulnerabilities have the potential for significant business disruption with the potential for ransomware exploits,” he added. ”Software resilience for enterprise software companies is achievable with more maturity in the development process to identify and remediate race conditions.”

****Patch NOW****

Zoom is widely used across industries, and bugs like these mixed with others, can be a massive security risk. While the technical details may not apply to everyday users, IT teams should treat this as a routine security maintenance window. Applying the patches quickly reduces the chance of these issues being exploited.

Therefore, if you use Zoom Workplace Apps, update now. The patches are live and available for download. Admins managing enterprise deployments should review their update pipelines to make sure these fixes are rolled out across all user endpoints.

Zoom Fixes High-Risk Flaw in Latest Update

A security lapse on PrepHero, a college recruiting platform, exposed millions of unencrypted records, including sensitive personal details…

A security lapse on PrepHero, a college recruiting platform, exposed millions of unencrypted records, including sensitive personal details and passport images of student-athletes.

A massive amount of personal information belonging to over three million individuals, including young athletes hoping for college scholarships and their coaches, was recently found unprotected online. vpnMentor’s cybersecurity researcher Jeremiah Fowler discovered this exposed database and reported it on May 12, 2025.

Based on the information in the database, it belonged to a Chicago-based company called PrepHero, operated by EXACT Sports. For your information, PrepHero helps high school athletes create recruiting profiles for college sports programs and facilitates direct communication between athletes and coaches at renowned universities, aiming to secure sports scholarships.

According to Fowler’s investigation, shared with Hackread.com, this database contained a staggering 3,154,239 records (totalling around 135 gigabytes) and was not secured with a password or any form of encryption.

Fowler’s initial checks revealed sensitive information about student-athletes, including names, phone numbers, email addresses, home addresses, and passport information. The database also contained contact details for parents and coaches, as well as unprotected computer files with student athletes’ passport image links.

Source: vpnMentor

Adding to the severity of the exposure, the database contained a folder labelled “mail cache” holding 10 gigabytes of email messages spanning from 2017 to 2025. The folder contained personalized web links to publicly accessible pages displaying names, birth dates, email addresses, home addresses, and compensation details.

Some emails also included temporary passwords, posing further privacy risks. Audio recordings of coaches stating their names, colleges, and evaluations of student athletes’ strengths and weaknesses were also found.

Fowler promptly disclosed this discovery to PrepHero, which quickly secured the database, preventing further public access. While the exposed records have been linked to PrepHero, it is yet unclear whether this database was directly managed or an external company was responsible for its management. Furthermore, it’s also unclear how long the sensitive information was accessible online before Fowler’s discovery or if anyone else might have accessed it.

****Education Sector is Already Vulnerable****

As noted in Check Point’s April 2025 malware report, cyber attacks on the education sector continue to rise. Just last week, edtech giant PowerSchool confirmed it paid ransom after a December 2024 ransomware attack that exposed the personal data of students and teachers.

Meanwhile, new reports reveal that the official website of iClicker, a widely used student engagement platform, was hacked in a ClickFix attack. Having a database exposed to cyber criminals is worse than leaving your front door wide open, it’s an open invitation with far more at stake.

Fowler highlighted the privacy risks associated with exposing student athletes’ personal information, as they are often young and lack credit histories, making them vulnerable to identity theft. Criminals could use this data to open fraudulent accounts without immediate detection. Students, parents, and coaches’ contact information could be exploited for targeted phishing attacks and scams, with coaches also at risk of spear-phishing attempts.

Considering these repercussions, individuals associated with PrepHero or EXACT Sports must remain cautious about phishing/social engineering attempts, use secure content management systems with access controls, use multi-factor authentication for all accounts and encrypt sensitive documents to minimize the impact of potential data breaches.

“Sending emails with unique web links to surveys or open webpages that contain PII should be restricted and only accessible with login credentials to prevent unauthorized or accidental access,” Fowler advised.

PrepHero-Linked Database Exposed Data of 3M Students and Coaches

Popular student engagement platform iClicker’s website was compromised with a ClickFix attack. A fake “I’m not a robot”…

Popular student engagement platform iClicker’s website was compromised with a ClickFix attack. A fake “I’m not a robot” check tricked users into installing malware. Learn who was affected and how to stay safe.

A popular digital classroom used in many universities, called iClicker, was recently targeted by hackers. This tool, owned by Macmillan, helps teachers track attendance and ask students questions in class. Millions of students and thousands of teachers across the US, including the University of Michigan and the University of Florida, use iClicker.

According to the University of Michigan’s Safe Computing Team’s advisory, between April 12th and 16th, 2025, the iClicker website was compromised, showing a fake CAPTCHA to the site’s visitors, and asking them to click “I’m not a robot.”

Source: University of Michigan

When a Windows user clicked on this fake check, a hidden PowerShell command was copied to their device. They were prompted to open a special window on their computer (by pressing the Windows key and the letter ‘R’ at the same time), paste this command (by pressing Ctrl and ‘V’), and then press Enter. Doing this would run the hidden command.

This trick, known as a ClickFix attack, is a way to fool people into downloading malware.  A Reddit user tested this command on Any.Run and found it would connect to a server on the internet to download another set of instructions, depending on who was visiting the website. If it was a real person using a regular computer, the instructions would download malware, which could give the attacker complete control over the device.

 This malware was likely designed to steal personal information, such as usernames, passwords, credit card details, and even cryptocurrency wallet information stored on the computer.

In case the visitor was a system used by security experts to analyze malware, the hidden command would instead download a harmless program from Microsoft so that the attackers could evade detection.

In its security bulletin, iClicker confirmed that its main system and user information were safe, explaining that a third party put a fake security check on their website before users logged in.

As previously reported by Hackread.com, ClickFix has become a growing concern in the cybersecurity world. In March 2024, we reported the increasing use of ClickFix attacks by cybercrime groups like TA571 and ClearFake. Later, in October 2024, security firm Sekoia observed more ClickFix attacks using fake Google Meet, Chrome, and Facebook pages to spread malware.

Recently, in April 2025, Hackread.com reported that government-backed hacking groups from countries like North Korea, Iran, and Russia used this method in their spying operations and even published a detailed blog post on how to protect yourself from ClickFix attacks.

iClicker advises anyone who visited their website between April 12th and 16th and clicked on the fake security check to immediately change all the passwords saved on their computer, including the iClicker password and use a password manager to maximize account security. People who only used the iClicker mobile app or did not see the fake security check were safe from this particular attack.

Debbie Gordon, CEO and Founder at Cloud Range commented on the development stating, “This incident shows how easily attackers can turn a simple user interaction, like clicking a CAPTCHA, into a full compromise.”

“The real question is: how quickly can your team detect and contain it? That’s the essence of incident response readiness. Simulation-based training gives defenders the muscle memory they need to spot behavioural red flags, investigate effectively, and coordinate containment actions in real-time before small lapses become major breaches.”

iClicker Website Hacked with Fake CAPTCHA in ClickFix Attack

Roblox hit with class action over alleged secret tracking of kids’ data; lawsuit claims privacy law violations and…

Roblox hit with class action over alleged secret tracking of kids’ data; lawsuit claims privacy law violations and unauthorized data sharing.

Roblox, a platform known for its popularity among children and teens, is now the focus of a class action lawsuit that accuses the company of covertly harvesting data from its youngest users.

Filed in a California federal court by plaintiffs Michael and Salena Garcia, the suit claims Roblox has been quietly monitoring players without proper consent. According to the 45-page complaint, Roblox uses hidden tracking tools to collect a wide range of data, from keystrokes and chat messages to mouse activity and search queries.

The lawsuit also alleges that the company links these interactions to individual devices using unique identifiers. This allows Roblox to build detailed behavioural profiles of players, which the plaintiffs say are used for targeted content and shared with third-party advertisers.

Roblox has been secretly collecting detailed personal data and intercepting user activity through hidden tracking code built into its site and apps, without users or their parents knowing.

> _“This data surveillance begins the moment a user visits or launches Roblox, even before account login or consent, and continues across platforms (web, iOS, Android, macOS, Windows) via persistent identifiers and fingerprinting techniques.”_
> 
> _Source: Class Action Complaint, Garcia v. Roblox Corporation, U.S. District Court, Northern District of California, 2024._

This legal move puts Roblox in the same spotlight as other tech companies facing criticism over data privacy practices affecting children. While the company promotes itself as a safe space for play and creativity, the complaint suggests a different story unfolding behind the scenes.

Kern Smith, Vice President of Global Solutions at mobile security firm Zimperium, warns that mobile security often takes a back seat in discussions about child safety online. “Parents focus heavily on what their kids are doing in the game, but the device and the app itself are also areas of concern,” he said.

“When a mobile app is widely used, it becomes a bigger target for phishing, malware, and data breaches. If a phone or tablet is compromised, it opens the door for attackers to access sensitive data or manipulate app behaviour.”

The lawsuit shows the public worry about how companies collect and use data from minors. Under federal law, including the Children’s Online Privacy Protection Act (COPPA), companies must obtain verifiable parental consent before collecting personal data from children under 13. The Garcias claim that Roblox sidesteps these requirements through silent tracking that parents never see.

For now, the case remains in the early stages, but it indicates legal pressure on platforms serving young audiences. If the court finds the claims valid, Roblox could face serious consequences, not only in the form of financial penalties but also tougher oversight of its data handling practices.

Parents concerned about their child’s digital safety are advised to monitor not only app content but also the security of the devices their kids use. Tools that offer real-time threat detection and malware protection can help reduce risks tied to invisible data collection.

Roblox Corporation has not issued a public statement in response to the lawsuit as of publication.

Source

HackRead