Cyber Security Headlines: Namecheap phishes customers, Bing hit with injection attack, regulators stop BUSD minting

Namecheap sent phishing emails to customers

The domain registrar says the third-party provider it uses for its newsletter, Twilio-owned SendGrid, sent out apparent phishing emails to its customers. These claimed to be from DHL with links to the crypto wallet MetaMask. The emails were signed with DKIM and received from addresses previously only used by Namecheap comms. The DHL links showed the classic scheme of paying for shipping to receive a “free” package, while MetaMask messages asked for “Know Your Customer” information that could allow for stealing a wallet. SendGrid said it began investigating the situation and did not believe it suffered a network breach.          

(The Register)

New Bing search hit with injection attack

Microsoft began slowly rolling out beta access to its “New Bing” search with generative-AI integration using its Prometheus engine. Stanford studen Kevin Liu used a prompt injection to discover a list of statements showing how the system interacts with users. These prompt injections can be used to circumvent limits and instructions in language model prompts. The prompt injection with Bing revealed its codename of Sydney, that it should refer to itself as “Bing Search” or “This is Bing,” and that it should not disclose its internal alias. The conditions also instruct Bing to not reply with copyright violating content or to tell jokes that “can hurt a group of people.” 

(Ars Technica)

Regulators stop minting of BUSD stablecoin

The New York Department of Financial Services order Paxos Trust to stop minting the Binance USD stablecoin. The regular alleged found Paxos failed to conduct risk assessments. Paxos backs the coin one-to-one with the US Dollar, partnering with Binance on the coin in 2019. It previously received approval from the financial regulator. This comes as the Wall Street Journal’s source say the US Securities and Exchange Commission informed Paxos it would sue the company for violating consumer protection laws. CoinDesk reports that BUSD temporarily lost its peg to the dollar as customers apparently rushed to cash out. 


European carriers form adtech joint venture

Germany’s Deutsche Telekom, France’s Orange, Spain’s Telefonica and the UK’s Vodafone previously proposed creating a joint venture to operate a cross-operator ad-targeting infrastructure focused on first party data. First party data is the key term, as both Google and European regulators increasingly look to target how third-party data from cookies can be utilized. The European Commission’s antitrust division ruled that this venture did not spark competition concerns, giving it the green light to proceed. The carriers say that this adtech infrastructure will require explicit consent from subscribers to use personal data. The European Commission also said even as it cleared the venture to proceed, “[d]ata protection rules are fully applicable.”


And now a word from our sponsor, US, yes, CISO Series

“Those cyber security headlines are fantastic. It’s the first thing I look at in the am.” That’s a quote from active listener Jared Mendenhall, head of information security at Impossible Foods. Cyber Security Headlines is our fastest growing show on the CISO Series network. It’s grown 20-fold since we launched. And it did so during the pandemic while other shows started to slide. That’s because at only 6-7 minutes every day, Cyber Security Headlines does not need a commute to consume. Listen before you start your day. To learn more about pricing and audience, email us at

Bakkt backs out of consumer app

The digital asset platform launched in March 2021, offering the ability to integrate crypto assets with other digital accounts, things like gift cards and loyalty programs. It eventually gained partnerships with some big names, including Choice Hotels, Starbucks, and Best Buy. However Bakkt announced it will shutdown its consumer-facing app as of March 16th, focusing on business-to-business services going forward. While the app is going away, users can still manage assets over its web app after the shutdown. 


Malicious open source packages discovered

Researchers at Sonatype used its AI tooling to discover 691 malicious npm packages, as well as 49 malicious PyPi components. Many of these contained the same malicious package, a trojan designed to mine cryptocurrency on Linux. The researchers pinned some of the packages on a single actors, removing them from the registry. Other malware discovered included RATs, infostealers, and programs designed to check for virtual machines. Since 2019, Sonatype flagged over 100,000 as malicious, suspicious, or a proof-of-concept. 

(InfoSecurity Magazine)

Data brokers hoover up US mental health data

A new study by researchers at Duke’s Sanford School of Public Policy found 11 companies willing to sell traunches of personal data from Americans, including mental health information. This included information on what antidepressants they were taking, if they struggled with insomnia, or had Alzheimer’s disease. Some providers aggregated this information by zip code, while others tied this directly to names, address, and incomes. While the Health Insurance Portability and Accountability Act, or HIPAA restricts how “covered health entities” share health data, its protections don’t apply one the data is sent elsewhere. While some brokers offered opt-out to individuals, they don’t receive notifications when brokers initially obtain data. 


Pig butchering scams on the rise

You might think being Valentine’s Day, today would be the day we’d see a big peak in romance scams. But researchers at Sophos warn they began seeing a spike in so-called “pig butchering” schemes over the past 18 months. This follows a similar FBI warning from back in December. In Sophos’ investigation, it found a scammer posing as the nephew of a former Goldman Sachs analysts, pitching a fraudulent version of the Russian trading app MetaTrader 4. Sophos reporting seeing the app used in multiple similar scams. The researchers found scammers approaching potential victims on dating sites, using emotional cunning to push them to moving money into investment apps. 


Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.