U.S. Army Soldier Arrested in AT&T, Verizon Extortions - Related to army, at&t,, mastercard, ai-powered, social

MasterCard DNS Error Went Unnoticed for Years

The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the enterprise by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals.

From June 30, 2020 until January 14, 2025, one of the core Internet servers that MasterCard uses to direct traffic for portions of the [website] network was misnamed. [website] relies on five shared Domain Name System (DNS) servers at the Internet infrastructure provider Akamai [DNS acts as a kind of Internet phone book, by translating website names to numeric Internet addresses that are easier for computers to manage].

All of the Akamai DNS server names that MasterCard uses are supposed to end in “[website]” but one of them was misconfigured to rely on the domain “[website]”.

This tiny but potentially critical typo was discovered in the recent past by Philippe Caturegli, founder of the security consultancy Seralys. Caturegli mentioned he guessed that nobody had yet registered the domain [website], which is under the purview of the top-level domain authority for the West Africa nation of Niger.

Caturegli noted it took $300 and nearly three months of waiting to secure the domain with the registry in Niger. After enabling a DNS server on [website], he noticed hundreds of thousands of DNS requests hitting his server each day from locations around the globe. Apparently, MasterCard wasn’t the only organization that had fat-fingered a DNS entry to include “[website],” but they were by far the largest.

Had he enabled an email server on his new domain [website], Caturegli likely would have received wayward emails directed toward [website] or other affected domains. If he’d abused his access, he probably could have obtained website encryption certificates (SSL/TLS certs) that were authorized to accept and relay web traffic for affected websites. He may even have been able to passively receive Microsoft Windows authentication credentials from employee computers at affected companies.

But the researcher noted he didn’t attempt to do any of that. Instead, he alerted MasterCard that the domain was theirs if they wanted it, copying this author on his notifications. A few hours later, MasterCard acknowledged the mistake, but noted there was never any real threat to the security of its operations.

“We have looked into the matter and there was not a risk to our systems,” a MasterCard spokesperson wrote. “This typo has now been corrected.”.

Meanwhile, Caturegli received a request submitted through Bugcrowd, a program that offers financial rewards and recognition to security researchers who find flaws and work privately with the affected vendor to fix them. The message suggested his public disclosure of the MasterCard DNS error via a post on LinkedIn (after he’d secured the [website] domain) was not aligned with ethical security practices, and passed on a request from MasterCard to have the post removed.

Caturegli stated while he does have an account on Bugcrowd, he has never submitted anything through the Bugcrowd program, and that he reported this issue directly to MasterCard.

“I did not disclose this issue through Bugcrowd,” Caturegli wrote in reply. “Before making any public disclosure, I ensured that the affected domain was registered to prevent exploitation, mitigating any risk to MasterCard or its end-consumers. This action, which we took at our own expense, demonstrates our commitment to ethical security practices and responsible disclosure.”.

Most organizations have at least two authoritative domain name servers, but some handle so many DNS requests that they need to spread the load over additional DNS server domains. In MasterCard’s case, that number is five, so it stands to reason that if an attacker managed to seize control over just one of those domains they would only be able to see about one-fifth of the overall DNS requests coming in.

But Caturegli mentioned the reality is that many Internet people are relying at least to some degree on public traffic forwarders or DNS resolvers like Cloudflare and Google.

“So all we need is for one of these resolvers to query our name server and cache the result,” Caturegli stated. By setting their DNS server records with a long TTL or “Time To Live” — a setting that can adjust the lifespan of data packets on a network — an attacker’s poisoned instructions for the target domain can be propagated by large cloud providers.

“With a long TTL, we may reroute a LOT more than just 1/5 of the traffic,” he introduced.

The researcher showcased he’d hoped that the credit card giant might thank him, or at least offer to cover the cost of buying the domain.

“We obviously disagree with this assessment,” Caturegli wrote in a follow-up post on LinkedIn regarding MasterCard’s public statement. “But we’ll let you judge— here are some of the DNS lookups we recorded before reporting the issue.”.

As the screenshot above reveals, the misconfigured DNS server Caturegli found involved the MasterCard subdomain [website] It is not clear exactly how this subdomain is used by MasterCard, however their naming conventions suggest the domains correspond to production servers at Microsoft’s Azure cloud service. Caturegli introduced the domains all resolve to Internet addresses at Microsoft.

“Don’t be like Mastercard,” Caturegli concluded in his LinkedIn post. “Don’t dismiss risk, and don’t let your marketing team handle security disclosures.”.

This is interesting given a comment on Caturegli’s LinkedIn post from an ex-Cloudflare employee who linked to a findings he co-authored on a similar typo domain apparently registered in 2017 for organizations that may have mistyped their AWS DNS server as “[website]” instead of “[website]” this typo domain also was registered to a Yandex user ([website], and was hosted at the same German ISP — Team Internet (AS61969).

The maintainers of the Python Package Index (PyPI) registry have introduced a new feature that allows...

The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vul...

A 59-year-old man from Irvine, California, was sentenced to 87 months in prison for his involvement ...

Top 5 AI-Powered Social Engineering Attacks

Social engineering has long been an effective tactic because of how it focuses on human vulnerabilities. There's no brute-force 'spray and pray' password guessing. No scouring systems for unpatched software. Instead, it simply relies on manipulating emotions such as trust, fear, and respect for authority, usually with the goal of gaining access to sensitive information or protected systems.

Traditionally that meant researching and manually engaging individual targets, which took up time and resources. However, the advent of AI has now made it possible to launch social engineering attacks in different ways, at scale, and often without psychological expertise. This article will cover five ways that AI is powering a new wave of social engineering attacks.

The audio deepfake that may have influenced Slovakia elections.

Ahead of Slovakian parliamentary elections in 2023, a recording emerged that appeared to feature candidate Michal Simecka in conversation with a well-known journalist, Monika Todova. The two-minute piece of audio included discussions of buying votes and increasing beer prices.

After spreading online, the conversation was revealed to be fake, with words spoken by an AI that had been trained on the speakers' voices.

However, the deepfake was released just a few days before the election. This led many to wonder if AI had influenced the outcome, and contributed to Michal Simecka's Progressive Slovakia party coming in second.

In February 2024 reports emerged of an AI-powered social engineering attack on a finance worker at multinational Arup. They'd attended an online meeting with who they thought was their CFO and other colleagues.

During the videocall, the finance worker was asked to make a $25 million transfer. Believing that the request was coming from the actual CFO, the worker followed instructions and completed the transaction.

Initially, they'd reportedly received the meeting invite by email, which made them suspicious of being the target of a phishing attack. However, after seeing what appeared to be the CFO and colleagues in person, trust was restored.

The only problem was that the worker was the only genuine person present. Every other attendee was digitally created using deepfake technology, with the money going to the fraudsters' account.

Mother's $1 million ransom demand for daughter.

Plenty of us have received random SMSs that start with a variation of 'Hi mom/dad, this is my new number. Can you transfer some money to my new account please?' When received in text form, it's easier to take a step back and think, 'Is this message real?' However, what if you get a call and you hear the person and recognize their voice? And what if it sounds like they've been kidnapped?

That's what happened to a mother who testified in the US Senate in 2023 about the risks of AI-generated crime. She'd received a call that sounded like it was from her 15-year-old daughter. After answering she heard the words, 'Mom, these bad men have me', followed by a male voice threatening to act on a series of terrible threats unless a $1 million ransom was paid.

Overwhelmed by panic, shock, and urgency, the mother believed what she was hearing, until it turned out that the call was made using an AI-cloned voice.

Fake Facebook chatbot that harvests usernames and passwords.

'Put down your weapons' says deepfake President Zelensky.

As the saying goes: The first casualty of war is the truth. It's just that with AI, the truth can now be digitally remade too. In 2022, a faked video appeared to show President Zelensky urging Ukrainians to surrender and stop fighting in the war against Russia. The recording went out on Ukraine24, a television station that was hacked, and was then shared online.

A still from the President Zelensky deepfake video, with differences in face and neck skin tone.

Many media reports highlighted that the video contained too many errors to be believed widely. These include the President's head being too big for the body, and placed at an unnatural angle.

While we're still in relatively early days for AI in social engineering, these types of videos are often enough to at least make people stop and think, 'What if this was true?' Sometimes adding an element of doubt to an opponent's authenticity is all that's needed to win.

AI takes social engineering to the next level: How to respond.

The big challenge for organizations is that social engineering attacks target emotions and evoke thoughts that make us all human. After all, we're used to trusting our eyes and ears, and we want to believe what we're being told. These are all-natural instincts that can't just be deactivated, downgraded, or placed behind a firewall.

Add in the rise of AI, and it's clear these attacks will continue to emerge, evolve, and expand in volume, variety, and velocity.

That's why we need to look at educating employees to control and manage their reactions after receiving an unusual or unexpected request. Encouraging people to stop and think before completing what they're being asked to do. Showing them what an AI-based social engineering attack looks and most importantly, feels like in practice. So that no matter how fast AI develops, we can turn the workforce into the first line of defense.

Here's a 3-point action plan you can use to get started:

Talk about these cases to your employees and colleagues and train them specifically against deepfake threats – to raise their awareness, and explore how they would (and should) respond. Set up some social engineering simulations for your employees – so they can experience common emotional manipulation techniques, and recognize their natural instincts to respond, just like in a real attack. Review your organizational defenses, account permissions, and role privileges – to understand a potential threat actor's movements if they were to gain initial access.

Cybersecurity researchers have discovered a malvertising campaign that's targeting Microsoft advertisers with bogus Google ads that aim to take them t......

Italy's data protection watchdog has blocked Chinese artificial intelligence (AI) firm DeepSeek's service within the country, citing a lack of informa......

Meta-owned WhatsApp on Friday mentioned it disrupted a campaign that involved the use of spyware to target journalists and civil society members.

U.S. Army Soldier Arrested in AT&T, Verizon Extortions

Federal authorities have arrested and indicted a 20-year-old [website] Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first , the accused is a communications specialist who was recently stationed in South Korea.

Cameron John Wagenius was arrested near the Army base in Fort Hood, Texas on Dec. 20, after being indicted on two criminal counts of unlawful transfer of confidential phone records.

The sparse, two-page indictment (PDF) doesn’t reference specific victims or hacking activity, nor does it include any personal details about the accused. But a conversation with Wagenius’ mother — Minnesota native Alicia Roen — filled in the gaps.

Roen presented that prior to her son’s arrest he’d acknowledged being associated with Connor Riley Moucka, [website] “Judische,” a prolific cybercriminal from Canada who was arrested in late October for stealing data from and extorting dozens of companies that stored data at the cloud service Snowflake.

In an interview with KrebsOnSecurity, Judische said he had no interest in selling the data he’d stolen from Snowflake customers and telecom providers, and that he preferred to outsource that to Kiberphant0m and others. Meanwhile, Kiberphant0m claimed in posts on Telegram that he was responsible for hacking into at least 15 telecommunications firms, including AT&T and Verizon.

On November 26, KrebsOnSecurity .S. Army soldier stationed in South Korea.

Ms. Roen expressed Cameron worked on radio signals and network communications at an Army base in South Korea for the past two years, returning to the United States periodically. She expressed Cameron was always good with computers, but that she had no idea he might have been involved in criminal hacking.

“I never was aware he was into hacking,” Roen noted. “It was definitely a shock to me when we found this stuff out.”.

Ms. Roen mentioned Cameron joined the Army as soon as he was of age, following in his older brother’s footsteps.

“He and his brother when they were like 6 and 7 years old would ask for MREs from other countries,” she recalled, referring to military-issued “meals ready to eat” food rations. “They both always wanted to be in the Army. I’m not sure where things went wrong.”.

Immediately after news broke of Moucka’s arrest, Kiberphant0m &T call logs for President-elect Donald J. Trump and for Vice President Kamala Harris.

“In the event you do not reach out to us @ATNT all presidential government call logs will be leaked,” Kiberphant0m threatened, signing their post with multiple “#FREEWAIFU” tags. “You don’t think we don’t have plans in the event of an arrest? Think again.”.

On that same day, Kiberphant0m posted what they claimed was the “data schema” from the [website] National Security Agency.

On Nov. 5, Kiberphant0m offered call logs stolen from Verizon’s push-to-talk (PTT) clients — mainly [website] government agencies and emergency first responders. On Nov. 9, Kiberphant0m posted a sales thread on BreachForums offering a “SIM-swapping” service targeting Verizon PTT clients. In a SIM-swap, fraudsters use credentials that are phished or stolen from mobile phone enterprise employees to divert a target’s phone calls and text messages to a device they control.

The profile photo on Wagenius’ Facebook page was deleted within hours of my Nov. 26 story identifying Kiberphant0m as a likely [website] Army soldier. Still, many of his original profile photos remain, including several that show Wagenius in uniform while holding various Army-issued weapons.

November’s story on Kiberphant0m cited his own Telegram messages saying he maintained a large botnet that was used for distributed denial-of-service (DDoS) attacks to knock websites, clients and networks offline. In 2023, Kiberphant0m sold remote access credentials for a major [website] defense contractor.

Allison Nixon, chief research officer at the New York-based cybersecurity firm Unit 221B, helped track down Kiberphant0m’s real life identity. Nixon was among several security researchers who faced harassment and specific threats of violence from Judische and his associates.

“Anonymously extorting the President and VP as a member of the military is a bad idea, but it’s an even worse idea to harass people who specialize in de-anonymizing cybercriminals,” Nixon told KrebsOnSecurity. She mentioned the investigation into Kiberphant0m presents that law enforcement is getting improved and faster at going after cybercriminals — especially those who are actually living in the United States.

“Between when we, and an anonymous colleague, found his opsec mistake on November 10th to his last Telegram activity on December 6, law enforcement set the speed record for the fastest turnaround time for an American federal cyber case that I have witnessed in my career,” she noted.

Nixon asked to share a message for all the other Kiberphant0ms out there who think they can’t be found and arrested.

“I know that young people involved in cybercrime will read these articles,” Nixon mentioned. “You need to stop doing stupid shit and get a lawyer. Law enforcement wants to put all of you in prison for a long time.”.

The indictment against Wagenius was filed in Texas, but the case has been transferred to the [website] District Court for the Western District of Washington in Seattle.

Netgear has fixed two critical vulnerabilities affecting multiple WiFi router models and urged custo...

​Food delivery corporation GrubHub disclosed a data breach impacting the personal information of an undi...

An insufficient validation input flaw, one of 11 patched in an modification this week, could allow for arb...