Introduction
As tax season approaches, cyber criminals are ramping up their efforts to exploit individuals and organisations through sophisticated phishing and malware campaigns. Recent reports from Proofpoint highlight a surge in tax-related cyber attacks, with threat actors impersonating tax agencies and financial organisations to steal sensitive information and deliver malware.
Nature of the Attack
Phishing campaigns leveraging tax themes typically impersonate government agencies or financial services organisations. These attacks often involve sending emails that appear to be from legitimate sources, such as HM Revenue & Customs (HMRC) in the UK or Intuit in the US. The emails contain links to malicious websites designed to harvest credentials or deliver malware.
For example, Proofpoint observed a campaign beginning on January 12, 2025, where attackers impersonated HMRC with “account update” lures. These emails directed recipients to credential harvesting sites that mimicked HMRC’s branding. Similarly, a campaign on January 16, 2025, impersonated Intuit, sending emails that claimed tax forms were rejected and leading victims to fake authentication pages.
Risk
The risk associated with these attacks is significant. Phishing campaigns can lead to the theft of personal information, including usernames, passwords, and financial details. This information can be used for fraudulent activities, such as unauthorised access to accounts or identity theft. Additionally, some campaigns deliver malware, which can compromise systems and lead to further data breaches or financial loss.
In one instance, a campaign targeting Swiss organisations on December 18, 2024, involved fraudulent emails masquerading as federal tax payment reminders. These emails directed recipients to make payments via Revolut accounts, threatening fines for non-compliance. This campaign aimed to defraud users directly rather than harvest credentials.
Conclusion
Tax-themed phishing and malware campaigns are a growing threat during tax season. These attacks exploit the urgency and fear associated with tax deadlines, making them particularly effective. Organisations and individuals must remain vigilant, educate themselves about common phishing tactics, and implement robust cyber security measures to protect against these threats.
The Human Risk Management module from Norm can educate users on how to spot a likely malicious link. With this education, not only would users be more aware of the tactics used by attackers but also the content will enable them to exercise caution when clicking on suspicious links. It is also recommended to take a minute to assess a link before clicking and never give any remote access to your device.
References:
Tax Season Cybersecurity Alert: Report Reveals Surge in Tax-Related Cyberattacks (securityonline.info)
Security Brief: Threat Actors Take Taxes Into Account (proofpoint.com)
That moment when you click the ‘confirm purchase’ button for an online payment and wait for the email to land in your inbox. It’s a simple, reassuring ritual, isn’t it? That email confirming your payment has been processed successfully and your order is on its way.
But what if that moment of reassurance is about to be upended? Enter PhishWP, a malevolent WordPress plugin recently uncovered in the murky depths of Russian cyber crime forums. PhishWP is a sophisticated phishing tool, enabling attackers to steal sensitive data like credit card numbers, personal details, and even browser metadata, all in real-time. It’s already quietly infiltrating e-commerce sites, turning legitimate transactions into opportunities for theft.
What is WordPress and How is It Exploited?
WordPress powers nearly half of all websites, including e-commerce platforms. Its open-source nature allows for numerous plugins, which, while useful, can be exploited. While WordPress itself is secure, its plugins, such as PhishWP, can become entry points for cyber criminals, turning trusted websites into phishing engines that steal sensitive data.
PhishWP
PhishWP masquerades as legitimate payment pages, mimicking trusted services like Stripe, tricking users into entering credit card numbers, billing addresses, and one-time passwords while believing they’re making a secure purchase. It also bypasses 3D Secure (3DS) protections, enabling attackers to steal one-time passwords and complete transactions.
The Deceptive Confirmation Email
PhishWP doesn’t stop at stealing data. It sends fake confirmation emails that mimic legitimate receipts, reinforcing the victim’s sense of security while sending the stolen information to attackers via Telegram in real time. By the time the victim realises, the damage is already done.
Advanced Capabilities of PhishWP
These features make PhishWP a highly effective tool for cyber criminals, exploiting users’ trust in online payment systems to steal valuable data.
Conclusion
PhishWP highlights the vulnerability of trust in online systems. With WordPress powering a vast number of websites, its plugins offer extensive attack surfaces. PhishWP exploits mechanisms meant to protect us, so next time a confirmation email arrives, ask: is it a seal of legitimacy or the final act in a digital con? Stay vigilant to protect yourself from such schemes.
Recommendations
References:
Beware of PhishWP: New WordPress Plugin Targets Online Shoppers (securityonline.info)
New PhishWP Plugin on Russian Forum Turns Sites into Phishing Pages (hackread.com)
PhishWP Plug-in Hijacks WordPress e-Commerce Checkouts (darkreading.com)
WordPress Statistics: How Many Websites Use WordPress? (colorlib.com)
Introduction
In our tech-driven world, cyber security threats are an ever-present concern. One vulnerability that’s been making waves lately is CVE-2025-24085. If you’ve been hearing about it and want to know more, you’re in the right place. We’ll break down what this vulnerability is, how it works, the risks involved, how you can protect yourself, and wrap it all up with some key takeaways.
What is CVE-2025-24085?
CVE-2025-24085 sounds pretty technical, right? But at its core, it’s a flaw in Apple’s CoreMedia component, which is crucial for handling audio and video on devices like iPhones, iPads, Macs, and more. This flaw is what’s known as a “use-after-free” vulnerability, and it could allow a malicious app to gain higher privileges, potentially wreaking havoc on your device.
How Does It Work?
Imagine your device’s memory as a library. A use-after-free vulnerability is like a librarian who forgets to remove a book from the catalogue after lending it out, leading to chaos when someone else tries to check out the same book. In this case, the CoreMedia component mishandles memory, and a clever attacker can exploit this to run their own code. When a specially crafted file is processed, the vulnerability kicks in, causing memory corruption and allowing malicious code to execute.
Potential Impact
So, what can happen if this vulnerability is exploited?
Real-World Exploitation
While there haven’t been widespread reports of this vulnerability being exploited in the wild, it’s essential to stay vigilant. Security researchers have shown that it’s possible, which means the risk is real.
Update Your Devices
The good news is that Apple has already rolled out updates to fix this issue. Make sure your devices are running the latest versions—iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, and tvOS 18.3. These updates improve memory management in the CoreMedia component, closing the loophole.
Best Practices
Conclusion
CVE-2025-24085 is a stark reminder of the ever-evolving nature of cyber security threats. Staying informed and proactive is crucial in protecting your digital life. By understanding this vulnerability and taking the right precautions, you can minimise the risks and keep your devices secure.
References:
About the security content of macOS Sequoia 15.3 (support.apple.com)
NVD – CVE-2025-24085 (nvd.nist.gov)
Apple Releases Security Updates for Multiple Products (digital.nhs.uk)
Apple zero-day vulnerability exploited to target iPhone users (helpnetsecurity.com)
Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
