May 28, 2025 • 11 mins
In this episode of Cybersecurity Today, host Jim Love explores the intricacies behind phishing emails that cleverly spoof Microsoft addresses, making many fall for scams despite appearing legitimate. Love emphasizes the need for a stringent 'zero trust' approach to counter these advanced tactics.
Additionally, the episode delves into the activities of the hacking group Hazy Hawk, which exploits misconfigured DNS records to hijack trusted domains and propagate malware. Organizations are warned about the importance of regular DNS audits to prevent such attacks. The episode also covers the alarming wave of departures at the Cybersecurity and Infrastructure Security Agency (CISA), raising concerns over the agency's effectiveness amid increasing cyber threats.
In another segment, Love discusses a sophisticated fraud operation out of Hanoi, where perpetrators manipulated X's Creator Revenue Sharing Program to siphon funds through fraudulent engagement metrics. The need for built-in fraud prevention mechanisms in digital reward systems is stressed. The episode concludes with a call for listener feedback and support.
00:00 Introduction and Overview
00:27 Phishing Scams: Authentic-Looking Emails
02:58 DNS Misconfigurations and Hazy Hawk
05:36 CISA Leadership Exodus
08:16 X's Creator Revenue Sharing Fraud
10:56 Conclusion and Contact Information
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
That email with the authenticMicrosoft address, it's still Phishing
Hackers Exploit DNS Misconfigurationsto Hijack Trusted Domains.
The CISA Leadership Exodus leavesthe agency in crisis and X gets
pod y Cybersecurity and fraud.
Both need to be designedin and not bolted on.
(00:23):
This is Cybersecurity Today.
I'm your host, Jim Love.
If you've recently gotten an email fromMicrosoft asking you to take some action
like updating Windows or confirmingyour account, take a closer look.
it could be a phishing scam.
But like any good cybersecuritypro you checked and the
email address is authentic.
(00:44):
It's still a fake.
According to a new report fromForbes, some Windows users are
receiving emails that appear tocome directly from Microsoft.
They look legitimate.
The sender email is authentic.
They have proper brandingand authentic looking links.
The only giveaway might be that urgentsounding language, and if you click
(01:06):
those links or download the attachments,you could be installing malware or
turning over your login credentials.
What's especially troubling isthat the email design so closely
mimics real messages from Microsoft,making it harder for even savvy
users to spot the difference.
This new wave of impersonation emailsare better disguised and more targeted.
(01:29):
We saw an earlier version of thisa few months back when someone
was able to manipulate a PayPalfeature to get phishing emails to
originate from PayPal's own servers.
It appears that this new wave of fakeemails from Microsoft may have found a way
to hijack Microsoft's notification system.
We don't know for certain.
But the resulting email looks totallyauthentic, and because Microsoft's name
(01:53):
carries weight, people are more likelyto engage without questioning the source.
Cybersecurity analyst, Zach Doman flaggedthis in his Forbes column, noting that
attackers are banking on this trust, andof course, the old judgment killer urgency
to get users to act without thinking.
This is gonna change alot of training programs.
(02:15):
We often say that users should onlyrespond to messages from trusted sources.
We train them to look closelyat URLs and email addresses,
but this is no longer enough.
It looks like we're gonna have to movethem towards a true zero trust policy.
My advice has always been when youget a notice from anybody bank.
Government, corporation, whatever,go independently to their website.
(02:40):
Never clicking a link that you got,but going there directly and finding
information that you need there.
But that can't cover all communications.
So we're all gonna be back tothe drawing board on this one.
Personally, I'd love to hear yourideas about what you are doing.
A hacking group known as HazyHawk is exploiting misconfigured
(03:03):
DNS records to hijack legitimatedomains and serve malware from what
should be trusted web addresses.
According to new research from a firmcalled Infoblox, the campaign active
since at least September, 2023, isnotable for abusing a common DNS
oversight, dangling CNAME records.
(03:26):
Hazy Hawk suspected to operateout of Russia or Eastern Europe.
Scans for expired third party servicesstill listed in a domain's DNS records.
When they find one, they quicklyregister the expired service and
take control of the subdomain.
This lets them use a trustedbrand's domain to host fake login
(03:47):
pages and deliver malware withouttriggering the usual red flags for
end users or even email filters.
infoblocks researchers said that thismethod is especially dangerous because
of the hijacked domains retainingtheir original TLS certificates
preserving the appearance of legitimacy.
(04:08):
Victims so far include multipleorganizations in the education, telecom,
finance, and even government sectors.
Infoblox's report said thesearen't low effort phishing sites.
They're cloaked behind well-knownnames, running on H-T-T-P-S with
valid certificates and oftenescape detection for weeks.
(04:28):
The broader concern is how widespreadthese misconfigurations are.
Infoblox warns that many companiesdon't routinely audit their DNS
records after decommissioningthird party tools or services.
That oversight creates an opendoor for attackers to quietly
hijack their infrastructure.
And while Hazy Hawk isn't the first groupto use dangling DNS records, the scale and
(04:50):
persistence of this new campaign suggestsit's becoming a mainstream tactic.
Organizations should regularly auditDNS entries, especially CNAME and
TXT records referencing third partyservices, expired domains should be
cleaned up immediately, and automatedtools can help flag potential hijack
(05:11):
risks before attackers exploit them.
Expired domain should be cleanedup immediately, and automated tools
can help flag potential hijackrisks before attackers exploit them.
for those of you who want a verydetailed look at this issue,
you can go to infoblox.com andsearch for forgotten DNS records.
(05:32):
There's also a link inthe show notes as well.
Nearly every top official at thecybersecurity and infrastructure security
agency CISA is leaving or has alreadyleft in what appears to be a sweeping
purge under the Trump Administration'sgovernment downsizing campaign.
The loss of so many leaders at once issparking deep concern about the agency's
(05:54):
ability to function during a timeof escalating foreign cyber threats.
According to an internal email obtainedby Cybersecurity Dive five of Cs a's
six operational divisions and sixof its 10 regional offices will lose
their top leaders by the end of May.
The shakeup also hits CISA's NationalField Teams directors in six regions,
(06:17):
along with key deputies are stepping down.
Or have already departed.
These field leaders were instrumentalin building trust with state, local, and
private sector partners across the US andtheir exit signals a major setback for
a's national reach and impact CI a's backoffice leadership isn't spared either.
The agency's chief strategy officer,chief financial Officer, chief contracting
(06:42):
officer, and chief Human Capital Officerare also leaving most of them by May 30th.
morale is suffering.
One CISA staffer said there's a lotof anxiety around when the cuts and
departures will finally stop andwe can move forward as an agency.
Another employee, put it more bluntly, itfeels like the wrong people are leaving.
(07:04):
All of these departures make itfeel like people are leaving the
mission and creating a vacuum.
Former CSA leader, Suzanne Spaldingcalled the loss of institutional
knowledge, sad and maddening, warningthat the vacuum of experience will leave
the nation less secure and resilient.
Executive director Bridgette Bean, issueda statement reaffirming commitment to its
(07:27):
mission saying the agency has the rightteam in place, and it's doubling down
on protecting critical infrastructure.
But with the top talent walking out thedoor, that message is being met with,
let's just say, growing skepticisminside and outside the agency.
And this is more than a personnel shuffleWith senior leadership across the board,
(07:49):
exiting, America's leading cyber defenseagency may be entering one of the most
vulnerable moments in its history.
Just as global tensions are risingand digital threats are mounting.
For now, the question isn't who'sleaving, it's who will be left.
And CISA is also an agency that many cyberprofessionals depend on as a resource.
(08:11):
There's a real danger thatmight be coming to an end.
When Elon Musk launched X'S CreatorRevenue Sharing Program, the idea
was simple pay premium users based ontheir engagement to keep them active.
After all, users were paying $8a month for verification and they
could earn money when other premiumusers interact with their content.
(08:35):
Sounds reasonable, right?
Well, it created a perfect targetfor fraud Eight individuals operating
from a small office in downtownHanoi built what amounts to be
a sophisticated fraud machine.
Here's their three step process.
First, they stole identities tocreate 125 fake US bank accounts
and hundreds of fake X profiles.
(08:56):
Secondly, they used software toautomatically generate content and
make these fake accounts like repostand engage with others, creating
completely artificial engagement.
Third, they collected payouts fromX based on this fake activity,
funneling money through over 1700transactions across multiple payment
processors to Vietnamese banks.
(09:19):
But here's what makes thisreally interesting from a
cybersecurity perspective.
They didn't just commitfraud, they commercialized it.
They created tools like XGPT tooland sold their techniques across
YouTube, TikTok, and other platforms,essentially running fraud as a service.
Ex's private investigators finally trackedthem down through the payment trail
(09:42):
when payment processors, ping pong, andPioneer turned over identity documents.
Investigators found theeight defendants in Hanoi.
A federal lawsuit was filed this weekseeking to recover the stolen funds.
This case highlights criticalvulnerabilities in modern platforms.
Any system that automatically paysusers based on digital metrics
(10:03):
becomes a honeypot for fraudsters.
The attackers were able toreverse Engineer X's engagement
algorithm and exploit weak identityverification in payment systems
for cybersecurity professionals.
This demonstrates why behavioralanalytics and fraud detection must
be built into reward systems from dayone, not added as an afterthought.
(10:25):
When you combine AI driven engagementwith financial incentives, you
create attractive targets forsophisticated cyber criminals.
If social media companies get moresophisticated in monetizing user
engagement, cyber criminals are goingto evolve their techniques as well.
the Vietnamese Qlik Farm case servesas a reminder that in cybersecurity,
the most sophisticated attacks oftenexploit the simplest system incentives.
(10:50):
Every automated reward system needs fraudprevention built in from the ground up.
And that's our show for today.
Love to hear what you think.
You can reach me ateditorial@technewsday.ca or on LinkedIn,
or if you're watching this on YouTube,just drop a note under the video.
And if you're enjoying this content, we'dlove it if you recommend it to a friend.
(11:12):
And if you can help us out financiallywith a small donation at buy me
a coffee.com/tech podcast, that's
buy me a coffee.com/tech podcast, it'llreally help with the expenses on the show.
I'm your host, Jim Love.
Thanks for listening.
That email with the authenticMicrosoft address, it's still Phishing
Hackers Exploit DNS Misconfigurationsto Hijack Trusted Domains.
The CISA Leadership Exodus leavesthe agency in crisis and X gets
pod y Cybersecurity and fraud.
Both need to be designedin and not bolted on.
(00:23):
This is Cybersecurity Today.
I'm your host, Jim Love.
If you've recently gotten an email fromMicrosoft asking you to take some action
like updating Windows or confirmingyour account, take a closer look.
it could be a phishing scam.
But like any good cybersecuritypro you checked and the
email address is authentic.
(00:44):
It's still a fake.
According to a new report fromForbes, some Windows users are
receiving emails that appear tocome directly from Microsoft.
They look legitimate.
The sender email is authentic.
They have proper brandingand authentic looking links.
The only giveaway might be that urgentsounding language, and if you click
(01:06):
those links or download the attachments,you could be installing malware or
turning over your login credentials.
What's especially troubling isthat the email design so closely
mimics real messages from Microsoft,making it harder for even savvy
users to spot the difference.
This new wave of impersonation emailsare better disguised and more targeted.
(01:29):
We saw an earlier version of thisa few months back when someone
was able to manipulate a PayPalfeature to get phishing emails to
originate from PayPal's own servers.
It appears that this new wave of fakeemails from Microsoft may have found a way
to hijack Microsoft's notification system.
We don't know for certain.
But the resulting email looks totallyauthentic, and because Microsoft's name
(01:53):
carries weight, people are more likelyto engage without questioning the source.
Cybersecurity analyst, Zach Doman flaggedthis in his Forbes column, noting that
attackers are banking on this trust, andof course, the old judgment killer urgency
to get users to act without thinking.
This is gonna change alot of training programs.
(02:15):
We often say that users should onlyrespond to messages from trusted sources.
We train them to look closelyat URLs and email addresses,
but this is no longer enough.
It looks like we're gonna have to movethem towards a true zero trust policy.
My advice has always been when youget a notice from anybody bank.
Government, corporation, whatever,go independently to their website.
(02:40):
Never clicking a link that you got,but going there directly and finding
information that you need there.
But that can't cover all communications.
So we're all gonna be back tothe drawing board on this one.
Personally, I'd love to hear yourideas about what you are doing.
A hacking group known as HazyHawk is exploiting misconfigured
(03:03):
DNS records to hijack legitimatedomains and serve malware from what
should be trusted web addresses.
According to new research from a firmcalled Infoblox, the campaign active
since at least September, 2023, isnotable for abusing a common DNS
oversight, dangling CNAME records.
(03:26):
Hazy Hawk suspected to operateout of Russia or Eastern Europe.
Scans for expired third party servicesstill listed in a domain's DNS records.
When they find one, they quicklyregister the expired service and
take control of the subdomain.
This lets them use a trustedbrand's domain to host fake login
(03:47):
pages and deliver malware withouttriggering the usual red flags for
end users or even email filters.
infoblocks researchers said that thismethod is especially dangerous because
of the hijacked domains retainingtheir original TLS certificates
preserving the appearance of legitimacy.
(04:08):
Victims so far include multipleorganizations in the education, telecom,
finance, and even government sectors.
Infoblox's report said thesearen't low effort phishing sites.
They're cloaked behind well-knownnames, running on H-T-T-P-S with
valid certificates and oftenescape detection for weeks.
(04:28):
The broader concern is how widespreadthese misconfigurations are.
Infoblox warns that many companiesdon't routinely audit their DNS
records after decommissioningthird party tools or services.
That oversight creates an opendoor for attackers to quietly
hijack their infrastructure.
And while Hazy Hawk isn't the first groupto use dangling DNS records, the scale and
(04:50):
persistence of this new campaign suggestsit's becoming a mainstream tactic.
Organizations should regularly auditDNS entries, especially CNAME and
TXT records referencing third partyservices, expired domains should be
cleaned up immediately, and automatedtools can help flag potential hijack
(05:11):
risks before attackers exploit them.
Expired domain should be cleanedup immediately, and automated tools
can help flag potential hijackrisks before attackers exploit them.
for those of you who want a verydetailed look at this issue,
you can go to infoblox.com andsearch for forgotten DNS records.
(05:32):
There's also a link inthe show notes as well.
Nearly every top official at thecybersecurity and infrastructure security
agency CISA is leaving or has alreadyleft in what appears to be a sweeping
purge under the Trump Administration'sgovernment downsizing campaign.
The loss of so many leaders at once issparking deep concern about the agency's
(05:54):
ability to function during a timeof escalating foreign cyber threats.
According to an internal email obtainedby Cybersecurity Dive five of Cs a's
six operational divisions and sixof its 10 regional offices will lose
their top leaders by the end of May.
The shakeup also hits CISA's NationalField Teams directors in six regions,
(06:17):
along with key deputies are stepping down.
Or have already departed.
These field leaders were instrumentalin building trust with state, local, and
private sector partners across the US andtheir exit signals a major setback for
a's national reach and impact CI a's backoffice leadership isn't spared either.
The agency's chief strategy officer,chief financial Officer, chief contracting
(06:42):
officer, and chief Human Capital Officerare also leaving most of them by May 30th.
morale is suffering.
One CISA staffer said there's a lotof anxiety around when the cuts and
departures will finally stop andwe can move forward as an agency.
Another employee, put it more bluntly, itfeels like the wrong people are leaving.
(07:04):
All of these departures make itfeel like people are leaving the
mission and creating a vacuum.
Former CSA leader, Suzanne Spaldingcalled the loss of institutional
knowledge, sad and maddening, warningthat the vacuum of experience will leave
the nation less secure and resilient.
Executive director Bridgette Bean, issueda statement reaffirming commitment to its
(07:27):
mission saying the agency has the rightteam in place, and it's doubling down
on protecting critical infrastructure.
But with the top talent walking out thedoor, that message is being met with,
let's just say, growing skepticisminside and outside the agency.
And this is more than a personnel shuffleWith senior leadership across the board,
(07:49):
exiting, America's leading cyber defenseagency may be entering one of the most
vulnerable moments in its history.
Just as global tensions are risingand digital threats are mounting.
For now, the question isn't who'sleaving, it's who will be left.
And CISA is also an agency that many cyberprofessionals depend on as a resource.
(08:11):
There's a real danger thatmight be coming to an end.
When Elon Musk launched X'S CreatorRevenue Sharing Program, the idea
was simple pay premium users based ontheir engagement to keep them active.
After all, users were paying $8a month for verification and they
could earn money when other premiumusers interact with their content.
(08:35):
Sounds reasonable, right?
Well, it created a perfect targetfor fraud Eight individuals operating
from a small office in downtownHanoi built what amounts to be
a sophisticated fraud machine.
Here's their three step process.
First, they stole identities tocreate 125 fake US bank accounts
and hundreds of fake X profiles.
(08:56):
Secondly, they used software toautomatically generate content and
make these fake accounts like repostand engage with others, creating
completely artificial engagement.
Third, they collected payouts fromX based on this fake activity,
funneling money through over 1700transactions across multiple payment
processors to Vietnamese banks.
(09:19):
But here's what makes thisreally interesting from a
cybersecurity perspective.
They didn't just commitfraud, they commercialized it.
They created tools like XGPT tooland sold their techniques across
YouTube, TikTok, and other platforms,essentially running fraud as a service.
Ex's private investigators finally trackedthem down through the payment trail
(09:42):
when payment processors, ping pong, andPioneer turned over identity documents.
Investigators found theeight defendants in Hanoi.
A federal lawsuit was filed this weekseeking to recover the stolen funds.
This case highlights criticalvulnerabilities in modern platforms.
Any system that automatically paysusers based on digital metrics
(10:03):
becomes a honeypot for fraudsters.
The attackers were able toreverse Engineer X's engagement
algorithm and exploit weak identityverification in payment systems
for cybersecurity professionals.
This demonstrates why behavioralanalytics and fraud detection must
be built into reward systems from dayone, not added as an afterthought.
(10:25):
When you combine AI driven engagementwith financial incentives, you
create attractive targets forsophisticated cyber criminals.
If social media companies get moresophisticated in monetizing user
engagement, cyber criminals are goingto evolve their techniques as well.
the Vietnamese Qlik Farm case servesas a reminder that in cybersecurity,
the most sophisticated attacks oftenexploit the simplest system incentives.
(10:50):
Every automated reward system needs fraudprevention built in from the ground up.
And that's our show for today.
Love to hear what you think.
You can reach me ateditorial@technewsday.ca or on LinkedIn,
or if you're watching this on YouTube,just drop a note under the video.
And if you're enjoying this content, we'dlove it if you recommend it to a friend.
(11:12):
And if you can help us out financiallywith a small donation at buy me
a coffee.com/tech podcast, that's
buy me a coffee.com/tech podcast, it'llreally help with the expenses on the show.
I'm your host, Jim Love.
Thanks for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
True Crime Tonight
If you eat, sleep, and breathe true crime, TRUE CRIME TONIGHT is serving up your nightly fix. Five nights a week, KT STUDIOS & iHEART RADIO invite listeners to pull up a seat for an unfiltered look at the biggest cases making headlines, celebrity scandals, and the trials everyone is watching. With a mix of expert analysis, hot takes, and listener call-ins, TRUE CRIME TONIGHT goes beyond the headlines to uncover the twists, turns, and unanswered questions that keep us all obsessed—because, at TRUE CRIME TONIGHT, there’s a seat for everyone. Whether breaking down crime scene forensics, scrutinizing serial killers, or debating the most binge-worthy true crime docs, True Crime Tonight is the fresh, fast-paced, and slightly addictive home for true crime lovers.