Bug hunter tricked SSL.com into issuing cert for Alibaba Cloud domain in 5 steps
Certificate issuer SSL.com’s domain validation system had an unfortunate bug that was exploited by miscreants to obtain, without authorization, digital certs for legit websites. With those certificates in hand, said fraudsters could set up more-convincing malicious copies of those sites for things like credential phishing, or decrypt intercepted HTTPS traffic between those sites and their visitors. And since learning of that flaw, SSL.com has revoked 11 wrongly issued certificates – one of them for Alibaba.
Marks & Spencer confirms cybersecurity incident amid ongoing disruption
Retail giant Marks & Spencer has confirmed a cybersecurity incident, as customers report ongoing disruption and outages. The British-headquartered retailer on Tuesday told customers in a notice, which TechCrunch has seen, that the company has been “managing a cyber incident” over the last few days. The notice, signed by chief executive Stuart Machin, said it was necessary to make operational changes “to protect [customers] and the business.”
Phishing detection is broken: Why most attacks feel like a zero day
Phishing attacks remain a huge challenge for organizations in 2025. In fact, with attackers increasingly leveraging identity-based techniques over software exploits, phishing arguably poses a bigger threat than ever before. With MFA-bypassing phishing kits the new normal, capable of phishing accounts protected by SMS, OTP, and push-based methods, detection controls are being put under constant pressure as prevention controls fall short. A key challenge with phishing detection is that based on the indicators that we as an industry use to commonly detect phishing pages, pretty much every phishing attack looks different and uses a unique combination of domain, URL, IPs, page composition, target app, etc. Effectively, every phishing attack is completely novel. You might even describe them as “zero-days” (cue the collective sharp intake of breath)…
FBI: US lost record $16.6 billion to cybercrime in 2024
The FBI says cybercriminals have stolen a record $16,6 billion in 2024, marking an increase in losses of over 33% compared to the previous year. According to the bureau’s annual Internet Crime Complaint Center (IC3) report, IC3 recorded 859,532 complaints last year (256,256 with actual loss), amounting to an average loss of $19,372. The most impacted group is older Americans, especially people over 60, who filed 147,127 complaints linked to approximately $4.8 billion in losses.
159 CVEs Exploited in Q1 2025 — 28.3% Within 24 Hours of Disclosure
As many as 159 CVE identifiers have been flagged as exploited in the wild in the first quarter of 2025, up from 151 in Q4 2024. “We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure,” VulnCheck said in a report shared with The Hacker News. This translates to 45 security flaws that have been weaponized in real-world attacks within a day of disclosure. Fourteen other flaws have been exploited within a month, while another 45 flaws were abused within the span of a year. The cybersecurity company said a majority of the exploited vulnerabilities have been identified in content management systems (CMSes), followed by network edge devices, operating systems, open-source software, and server software.
