This writeup details innovative ‘syntax confusion’ techniques exploiting how two or more components can interpret the same input differently due to ambiguous or inconsistent syntax rules.
Alex Brumen aka Brumens provides step-by-step guidance, supported by practical examples, on crafting payloads to confuse syntaxes and parsers – enabling filter bypasses and real-world exploitation.
This research was originally presented at NahamCon 2025.
Think prepared statements automatically make your Node.js apps secure? Think again.
In my latest blog post, I explore a surprising edge case in the mysql and mysql2 packages that can turn “safe” prepared statements into exploitable SQL injection vulnerabilities.
Curious what frameworks people use for desktop application testing. I run a pentesting firm that does thick clients for enterprise, and we couldn't find anything comprehensive for this.
Ended up building DASVS over the past 5 years - basically ASVS but for desktop applications. Covers desktop-specific stuff like local data storage, IPC security, update mechanisms, and memory handling that web testing frameworks miss. Been using it internally for thick client testing, but you can only see so much from one angle. Just open-sourced it because it could be useful beyond just us.
The goal is to get it to where ASVS is: community-driven, comprehensive, and actually used.
To people who do desktop application testing, what is wrong or missing? Where do you see gaps that should be addressed? In the pipeline, we have testing guides per OS and an automated assessment tool inspired by MobSF. What do you use now for desktop application testing? And what would make a framework like this actually useful?
I'm sharing a new open-source tool I developed: the Ephemeral Vulnerability Scanner.
If you're tired of using security tools that require you to send sensitive lists of your installed software to a 3rd party server, this is your solution.
What it does:
You run a simple command (PowerShell, dpkg -l, brew list) to generate a local inventory.json file.
You open the scanner's index.html in your browser.
You upload the file (it stays local!).
The browser's JavaScript performs the lookup against public APIs (MSRC, OSV.dev, CISA KEV) and gives you a professional, exportable report.
The core benefit is privacy: Your inventory never leaves your control. Analysis is ephemeral—everything is gone when you close the tab.
It supports Windows, Linux, and macOS, giving you a unified, free way to scan packages across your fleet.
We've just released a tool that fixes a particularly annoying problem for those trying to fuzz HTTP/3.
The issue is that QUIC is designed to prevent network bottlenecks (HOL blocking), which is beneficial, but it disrupts the fundamental timing required for exploiting application-level race conditions. We tried all the obvious solutions, but QUIC's RFC essentially blocks fragmentation and other low-level network optimizations. 🤷♂️
So, we figured out a way to synchronize things at the QUIC stream layer using a technique we call Quic-Fin-Sync.
The gist:
Set up 100+ requests, but hold back the absolute last byte of data for each one.
The server gets 99.9% of the data but waits for that last byte.
We send the final byte (and the crucial QUIC FIN flag) for all 100+ requests in one single UDP packet.
This one packet forces the server to "release" all the requests into processing near-simultaneously. It worked way better than existing methods in our tests—we successfully raced a vulnerable Keycloak setup over 40 times.
If you are pentesting HTTP/3, grab the open-source tool and let us know what you break with it. The full write-up is below.
What’s the most frustrating thing you’ve run into trying to test QUIC/HTTP/3?
Immigration and Customs Enforcement lifted a $180 million cap on a proposed immigrant-tracking program while guaranteeing multimillion-dollar payouts for private surveillance firms.
Scammers aren’t worried about ending up on the naughty list. If anything, they’redoubling down in 2025.
This year, scammers are impersonating major brands with startling accuracy, from fake delivery updates to cloned checkout pages.
Our McAfee Labs researchers analyzed real scam texts, emails, and URLs from October through early November, along with consumer survey data, to identify the patterns shaping this season’s fraud.
Here’s what shoppers need to know, what’s trending upward, and how to spot the fakes before they reach your cart.
What Is a Holiday Brand-Impersonation Scam?
A brand-impersonation scam is when criminals copy a real brand, like a retailer, tech company, bank, or delivery service, to make fake emails, texts, ads, or websites that look legitimate.
Their goal is to trick shoppers into clicking, entering account details, or making a payment.
McAfee Labs’ brand impersonation analysis shows criminals focusing on the items people shop for most — tech gifts, luxury goods, and high-demand drops.
Fake versions of these brands typically include:
Copied product photos
Familiar layouts
Holiday sale graphics
Support pages designed to capture logins
An example of a phishing attempt this holiday season. THIS IS A FAKE PHISHING EMAIL!
Which Brands Are Being Faked the Most This Holiday Season?
Top 5 most impersonated luxury brands
Coach
Dior
Ralph Lauren
Rolex
Gucci
Top 5 most impersonated mainstream consumer brands
Apple
Nintendo
Samsung
Disney
Steam
Other Key Research Takeaways:
Email scams are exploding, up ~50% in retail and ~85% in tech as the holidays approach.
Fake storefronts are rising, with technology URL scams up nearly 50% and consumer URL scams up ~5%.
Trusted brands are the most impersonated, including Amazon, Microsoft, Apple, Walmart, and Costco.
96% plan to shop online
91% see ads from unfamiliar retailers
37% may buy from brands they don’t recognize
AI is reshaping scams, with 46% of Americans encountering fake celebrity or influencer endorsements.
How to Stay Safe While Brands Are Being Faked This Season
Scammers are getting better at copying the brands you trust, but avoiding the fakes gets much easier when you slow down, verify what you see, and use tools that check links and messages before you click.
Here’s what actually helps during a season when realistic-looking scams are everywhere:
1. Go straight to the source
If you get a message about an order, refund, delivery issue, or account lockout, don’t click the link.
Go directly to the retailer’s app or type the URL manually.
This single habit eliminates most holiday scams.
This may look exactly like the Netflix login page… but it’s not. This scam landing page is meant to steal your username and password.
2. Inspect the sender, not the graphics
Scammers can recreate logos, colors, and templates perfectly.
What they can’t easily mimic:
A legitimate domain
A verified phone number
A support email that matches the company’s format
If the sender looks off, the message is off.
3. Let security tools check the link for you
McAfee’s online protection adds a critical layer of holiday safety, especially when scammers imitate retailers with near-perfect accuracy.
Key protections include:
Web Protection
Blocks malicious or suspicious websites before they load — including fake checkout pages, login portals, and support sites.
Scam Detector Built into all core McAfee plans. It flags scam texts, emails, and even deepfake-style video promotions, letting you know a link or message is unsafe before you interact with it.
Password Manager
Creates and stores strong, unique passwords so a stolen login from one retailer doesn’t unlock your whole digital life.
Identity & Financial Monitoring
Transaction Monitoring and Credit Monitoring can alert you to unusual activity — a crucial safety net when stolen logins, card numbers, or personal details circulate quickly during the holidays.
These tools help counter the exact tactics scammers rely on: cloned websites, fake brand emails, and phishing links disguised as legitimate retailers.
This shows a SMishing text from a fake Amazon. Companies won’t text you like this.
4. Turn on two-factor authentication everywhere you shop
Even if a scammer gets your password, they can’t get in without your one-time code.
5. Treat urgency as a red flag
Legitimate companies don’t ask you to “act in minutes,” pay fees to “unlock” an account, or claim you must stay on the line.
Pressure is a tactic — not customer service.
6. Keep an eye on your accounts
Check your banking and shopping accounts weekly.
Small unauthorized charges often appear before large ones.
I built a cloaker that’s been flying under Meta’s radar — and I want to see if you can break it.
The challenge is simple: 🧠 Try to identify any vulnerabilities or leaks in the cloaker system I’m using. 🚀 If you manage to break it or point out a real flaw, I’ll send you a little prize (or maybe a project if you impress me).
Hint: The ad on Meta shows one thing... But the landing page is completely different from the advertised offer.
Let’s see if you’re sharp enough to catch it 😏 Game on?
I’ve published a technical case study analyzing a design issue in how the Binance API enforces IP whitelisting. This is not about account takeover or fund theft — it’s about a trust-boundary mismatch between the API key and the secondary listenKey used for WebSocket streams.
Summary of the issue
A listenKey can be created using only the API key (no secret, no signature).
The API key is protected by IP whitelisting.
The listenKey is not protected by IP whitelisting.
Once a listenKey leaks anywhere in the toolchain — debug logs, third-party libraries, bots, browser extensions, supply-chain modules — it can be reused from any IP address.
This exposes real-time trading activity, balances, open orders, leverage changes, stop levels, liquidation events and more.
This is not a direct account compromise. It’s market-intelligence leakage, which can be extremely valuable when aggregated across many users or bot frameworks.
Why this matters
Many users rely on IP whitelisting as their final defensive barrier. The listenKey silently bypasses that assumption. This creates a false sense of security and enables unexpected data exposure patterns that users are not aware of.
Disclosure process
I responsibly reported this and waited ~11 months. The issue was repeatedly categorized as “social engineering,” despite clear architectural implications. Therefore, I have published the analysis openly.
Born out of an internal hackathon, Amazon’s Autonomous Threat Analysis system uses a variety of specialized AI agents to detect weaknesses and propose fixes to the company’s platforms.
I was looking for Top Universities for Masters in Cybersecurity. For my Background, I have done Bachelor’s in Computer Science and i have 2.5 years of Industry experience in Application Security, Cloud Security and Product Security.
I was not a Top student at my Bachelor's and neither my university is highly ranked. CGPA: 8.5 Hence getting Admission into the ETHz MS Cyber program seems tough Thou i would still apply.
I know a couple of other universities In Europe which are well know but not sure how respected is the curriculum. I have done my research but i wouldn't want to miss out on any hidden gem.
Looking for: 1. Well-recognized and reputable universities (Preferably public but can consider private)
Would be great if the University has Hacking group which is doing well in CTF Competitions
USA and UK could have been great options but they are crazy expensive, the post study laws, migrations and Job search is pretty bad out there. Please correct me if i am wrong.
I would really appreciate your recommendations from your Experience and Knowledge.
Got tired of your log analysis workflow being: export logs → wait for jq → try different filter → wait again → eventually load into ELK → wait for indexing.
Built JSONL Viewer Pro to solve this. Native desktop app (Mac) that handles the log analysis I do daily without needing infrastructure.
Technical details:
Multi-threaded simdjson parser - opens 5GB files in ~10 seconds
Leading off our news on scams this week, a heads-up for DoorDash users, merchants, and Dashers too. A data breach of an undisclosed size may have impacted you.
Per an email sent by the company to “affected DoorDash users where required,” a third party gained access to data that may have included a mix of the following:
First and last name
Physical address
Phone number
Email address
You might have got the email too. And even if you didn’t, anyone who’s used DoorDash should take note.
As to the potential scope of the breach, DoorDash made no comment in its email or a post on their help site. Of note, though, is that one of the help lines cited in their post mentions a French-language number—implying that the breach might affect Canadian users as well. Any reach beyond the U.S. and Canada remains unclear.
Per the company’s Q2 financial report this year, “hundreds of thousands of merchants, tens of millions of consumers, and millions of Dashers across over 30 countries every month.” Stats published elsewhere put the user base at more than 40 million people, which includes some 600,000 merchants.
The company underscored that no “sensitive” info like Social Security Numbers (and potentially Canadian Social Insurance Numbers) were involved in the breach. This marks the third notable breach by the well-known delivery service, with incidents in 2019 and 2022
Image of DoorDash email about data breach.
What to do if you think you got caught up in the DoorDash breach
While the types of info involved here appear to be limited, any time there’s a breach, we suggest the following:
Protect your credit and identity. Checking your credit and getting identity theft protection can help keep you safer in the aftermath of a breach. Further, a security freeze can help prevent identity theft if you spot any unusual activity. You can get all three in place with our McAfee+ Advanced or Ultimate plans.
Keep an eye out for phishing attacks. With some personal info in hand, bad actors might seek out more. They might follow up a breach with rounds of phishing attacks that direct you to bogus sites designed to steal your personal info. As with any text or email you get from a company, make sure it’s legitimate before clicking or tapping on any links. Instead, go straight to the appropriate website or contact them by phone directly. Also, protections like our Scam Detector and Web Protection can alert you to scams and sketchy links before they take you somewhere you don’t want to go.
Update your passwords and use two-factor authentication. Changing your password is a strong preventive measure. Strong and unique passwords are best, which means never reusing your passwords across different sites and platforms. Using a password manager helps you stay on top of it all while also storing your passwords securely.
Attention travelers: Now boarding, a rise in flight cancellation scams
Even as the FAA lifted recent flight restrictions on Monday morning, scammers are still taking advantage of lingering uncertainty, and upcoming holiday travel, with a spate of flight cancellation scams.
How the scam works
Fake cancellation texts
The first comes via a text message saying that your flight has been cancelled and you must call or rebook quickly to avoid losing your seat—usually in 30 minutes. It’s a typical scammer trick, where they hook you with a combination of bad news and urgency. Of course, the phone number and the site don’t connect you with your airline. They connect you to a scammer, who walks away with your money and your card info to potentially rip you off again.
Fake airline sites in search results
The second uses paid search results. We’ve talked about this trick in our blogs before. Because paid search results appear ahead of organic results, scammers spin up bogus sites that mirror legitimate ones and promote them in paid search. In this way, they can look like a certain well-known airline and appear in search before the real airline’s listing. With that, people often mistakenly click the first link they see. From there, the scam plays out just as above as the scammer comes away with your money and card info.
How to avoid flight cancellation scams
Q: How can I confirm whether my flight is really canceled? A: Check directly in your airline’s official app or website. Never click links in texts or emails.
Q: How can I spot a fake airline search result? A: Look for “Ad”/“Sponsored,” confirm the URL, and check that the site uses HTTPS, not HTTP.
Q: Is there a tool that flags fake booking sites? A: Scam-spotting tools like Scam Detector and Web Protection can identify sketchy links before you click.
In search, first isn’t always best.
Look closely to see if your top results are tagged with “Sponsored” or “Ad” in some way, realizing it might be in fine print. Further, look at the web address. Does it start with “https” (the “s” means secure), because many scam sites simply use an unsecured “http” site. Also, does the link look right? For example, if you’re searching for “Generic Airlines,” is the link the expected “genericairlines dot-com” or something else? Scammers often try to spoof it in some way by adding to the name or by creating a subdomain like this: “genericairlines.rebookyourflight dot-com.”
Get a scam detector to spot bogus links for you.
Even with these tips and tools, spotting bogus links with the naked eye can get tricky. Some look “close enough” to a legitimate link that you might overlook it. Yet a combination of features in our McAfee+ plans can help do that work for you. Our Scam Detector helps you stay safer with advanced scam detection technology built to spot and stop scams across text messages, emails, and videos. Likewise, our Web Protection will alert you if a link might take you to a sketchy site. It’ll also block those sites if you accidentally tap or click on a bad link.
Scammers Hijack a Trusted Mass Texting Provider
You’ve probably seen plenty of messages sent by short code numbers. They’re the five- or six-digit codes used to send texts instead of by a phone number. For example, your cable company might use one to send a text for resetting a streaming password, the same goes for your pharmacy to let you know a prescription is ready or your state’s DoT to issue a winter travel alert, and so on.
According to NBC News, scammers sent hundreds of thousands of texts using codes used by the state of New York, a charity, and a political organizing group. The article also cites an email sent to messaging providers by the U.S. Short Code Registry, an industry nonprofit that maintains those codes in the U.S. In the email, the registry said attempted attacks on messaging providers are on the rise.
What this means for the rest of us is that just about any text from an unknown number, and now short codes, might contain malicious links and content. It’s one more reason to arm yourself with the one-two punch of our Scam Detector and Web Protection.
What are short codes? Short codes are 5–6 digit numbers used by pharmacies, utilities, banks, and government agencies to send official alerts.
Why this attack is unusual Scammers didn’t spoof short codes—they gained access to real ones used by:
The State of New York
A charity
A political organizing group
Why this matters Even texts from legitimate short-code numbers can no longer be trusted at face value.
What to do now
Treat any unexpected text—even from a short code—as suspicious.
Don’t tap links.
Verify by going directly to the official website or app.
Plus: The SEC lets SolarWinds off the hook, Microsoft stops a historic DDoS attack, and FBI documents reveal the agency spied on an immigration activist Signal group in New York City.
Depending on configuration and timing, a Sliver C2 user's machine (operator) could be exposed to defenders through the beacon connection. In this blog post, I elaborate on some of the reverse-attack scenarios. Including attacking the operators and piggybacking to attack other victims.
You could potentially gain persistence inside the C2 network as well, but I haven't found the time to write about it in depth.
At New Zealand's Kawaiicon cybersecurity convention, organizers hacked together a way for attendees to track CO2 levels throughout the venue—even before they arrived.
Want McAfee’s latest scam alerts, cybersecurity tips, and safety updates to show up automatically in your Google News feed? You can follow McAfee directly on Google News with a single tap.
Google News now gives every official publisher a dedicated page — and McAfee has one. Once you follow us, our newest articles will appear in your Following tab and throughout your personalized news feed whenever they’re relevant to you.
Contactless payments make everyday purchases fast and easy. Yet with that convenience comes a risk: ghost tapping.
In crowded spaces or rushed moments, a scammer could trigger a small tap-to-pay charge or push through a higher amount without your clear consent. Understanding what ghost tapping is, how it happens, and what to do next helps you keep your money and identity secure.
What Is Ghost Tapping?
Ghost tapping is a form of contactless fraud where someone attempts to initiate a tap-to-pay transaction without your approval.
Tap-to-pay cards and mobile wallets on phones use a technology called “near-field communication,” or NFC. That lets them communicate with things like a point-of-sale device for payment at a very close range. It’s generally quite safe, particularly because of the “near” part. You have to get very close to make the connection.
Even so, proximity and distraction can be exploited. Attackers may try to skim limited details from RFID (Radio Frequency Identification technology) cards or NFC cards, or nudge you into approving a payment you didn’t intend. If you’ve ever wondered what ghost tapping is, think of it as an opportunistic, in-person scam that abuses the tap-to-pay moment rather than a remote hack.
How Ghost Tapping Happens
Most schemes rely on getting close and catching you off guard. A criminal might carry a portable reader, press into a pocket or bag, and attempt a low-value charge. Others set up tampered terminals, rushing you so you don’t check the amount.
Consider These Two Scenarios:
You’re at a busy farmer’s market. A scammer with a phone equipped with a point-of-sale app stumbles into you and gets close enough to your card to trigger a transaction. It’s almost like a modern-day pickpocket move, where the bump distracts the victim from the theft as it happens.
In another case, you might come across a phony vendor. Maybe someone’s selling cheap hats outside a football game or someone’s going around your neighborhood selling candy, supposedly to support a charity. In scenarios like these, you tap to pay with your phone just as you’d expect… but with one exception: the “vendor” jacks up the purchase price. They hurry you through the transaction, so quickly that you don’t review the screen before you confirm payment.
We’ve also seen reports of people getting Apple Pay scammed by impostor merchants who exploit quick taps and small screens. While mobile wallets add strong safeguards, poor visibility and social pressure can still lead to losses.
“An individual is going door to door in [location redacted] claiming to be selling chocolate on behalf of [redacted] to support special needs students. He says that he can only accept tap-to-pay to get people to pay with a card. He then charges large amounts to the card without the cardholder being able to see the amount. He got my mother for $537… Another victim for $1100… He changes neighborhoods frequently to avoid getting caught.”
Signs of Ghost Tapping and Common Myths
Early ghost detecting starts with vigilance. Watch for unfamiliar small charges, especially after crowded events, and alerts tied to contactless transactions. If you see odd activity tied to RFID cards or NFC cards, act quickly.
Common myths persist. Attackers can’t drain accounts from far away, clone full cards via a tap, or bypass wallet protections easily. Most successful cases hinge on proximity, distraction, and human error. Meanwhile, Apple Pay scam stories often involve rushed taps and unverified totals.
Effective ghost detecting focuses on timely alerts, careful review, and immediate response.
How to Protect Yourself from Ghost Tapping Scams
The BBB, which recently broke the story of these scams, offers several pieces of advice. We have some advice we can add as well.
From the BBB…
Store your cards securely. An RFID-blocking wallet or sleeve can help stop wireless skimming.
Always confirm payment details. Before tapping your card or phone, check the merchant’s name and amount on the terminal screen.
Set up transaction alerts. Many banks allow real-time notifications for every charge.
Keep an eye on your accounts. Daily checks help you spot fraud faster.
Limit tap-to-pay use in high-risk areas. Consider swiping or inserting your card instead.
From us at McAfee…
Monitor your identity and your credit.
The problem with many card scams is that they can lead to further identity theft and fraud, which you only find out about once the damage is done. Actively monitoring your identity and credit goes beyond single transaction alerts from your bank and can spot an emerging problem before it becomes an even bigger one. You can take care of both easily with timely notifications from our credit monitoring and identity monitoring features, all as part of our McAfee+ plans.
When you’re out and about,consider what you’re carrying—and where you carry it.
The physical safety of your phone and cards counts as well. While ghost tapping scams are new, old-school physical pickpocketing attempts persist. When it comes to devices and things like debit cards, credit cards, and even cash, keep what you bring with you to the bare minimum when you go out. This can cut your losses if the unfortunate happens. If you have a credit card and ID holder attached to the back of your phone, you may want to remove your cards from it. That way, if your phone gets snatched, those important cards don’t get snatched as well.
When in doubt, shop with a credit card.
In the U.S., credit cards offer you additional protection that debit cards don’t. That’s thanks to the Fair Credit Billing Act (FCBA). It limits your liability to $50 for fraudulent charges on a credit card if you report the loss to your issuer within 60 days.
Generative AI is making it even easier for attackers to exploit old and often forgotten network equipment. Replacing it takes investment, but Cisco is making the case that it’s worth it.
In this episode of Uncanny Valley, we discuss our scoop about how the Department of Homeland Security illegally collected Chicago residents’ data for months, as well as the news of the week.
We are building a foundational technology that is a bloom dollar IP. We need three key pillars of engineering talent to formalize this system:
Mathematical Proof Architect: Expertise in formal assurance and engineering deterministic systems to mathematically verify code correctness.
Trust Architect (Advanced Distributed Systems): Deep experience in cryptography, immutability, and creating trust architectures that are legally non-repudiable.
Critical Systems Engineer: Mastery of low-level, high-assurance security engineering in performance-critical or regulated environments.
If you possess these specific skills and want to get in on the ground floor of a billion-dollar IP and secure significant stake shares and profits, DM me ASAP. Preferred location is the U.S., but we will enthusiastically consider exceptional talent globally.
Schools in the US are installing vape-detection tech in bathrooms to thwart student nicotine and cannabis use. A new investigation reveals the impact of using spying to solve a problem.
hi folks, I tried to detect bgp hijack, my way is pretty straitforward as below:
I downloaded IP/ASN data set from IRR(ripe/arin/apnic) and store them in search engine(support partial/prefix query), then I crawled bgp stream data from routeviews, if I found the original asn was different than IRR, then the
As the holiday season ramps up, so do group dinners, shared travel costs, gift exchanges, and all the little moments where someone says, “Just Venmo me.”
With more people sending and splitting money this time of year, scammers know it’s prime time to target payment apps. Here’s how to keep your Venmo transactions safe during one of the busiest — and riskiest — payment seasons.
What kind of scams are on Venmo?
Venmo scams come in all shapes, and many of them look like variations of email phishing and text scams. The scammers behind them will pose as Venmo customer service reps who ask for your login credentials. Other scammers offer bogus cash prizes and pyramid schemes that lure in victims with the promise of quick cash. Some scammers will use the app itself to impersonate friends and family to steal money.
Venmo has a dedicated web page on the topic of scams, and lists the following as the top Venmo scams out there:
· Fake Prize or Cash Reward
· Call from Venmo
· Call from Tech Support
· Fake Payment Confirmation
· Pre-payment for Goods and Services
· Stranger Posing as a Friend
· Payments from Strangers
· Offers to Make Money Fast
· Paper Check Scam
· Romance Scam
Venmo has thorough instructions to combat these scams and breaks them down in detail on its site. They also provide preventative tips and steps to take if you unfortunately fall victim to one of these scams. Broadly speaking, though, avoiding Venmo scams breaks down into a few straightforward steps.
How to avoid getting scammed on Venmo
1) Never share private details.
Scammers often pose as customer service reps to pump info out of their victims. They’ll ask for things like bank account info, debit card or credit card numbers, or even passwords and authentication codes sent to your phone. Never share this info. Legitimate reps from legitimate companies like Venmo won’t request it.
2) Know when Venmo might ask for your Social Security number.
In the U.S., Venmo is regulated by the Treasury Department. As such, Venmo might require your SSN in certain circumstances. Venmo details the cases where they might need your SSN for reporting, here on their website. Note that this is an exception to what we say about sharing SSNs and tax ID numbers. As a payment app, Venmo might have legitimate reasons to request it. However, don’t send this info by email or text (any email or text that asks you to do that is a scam). Instead, always use the mobile app by going to Settings –> Identity Verification.
3) Keep an eye out for scam emails and texts.
Venmo always sends communications through its official “venmo.com” domain name. If you receive an email that claims to be from Venmo but that doesn’t use “venmo.com,” it’s a scam. Never click or tap on links in emails or texts supposedly sent by Venmo.
4) Be suspicious of the messages you get. Imposters are afoot.
Another broad category of scams includes people who aren’t who they say they are. In the case of Venmo, scammers will create imposter accounts that look like they might be a friend or family member but aren’t. If you receive an unexpected and likely urgent-sounding request for payment, contact that person outside the app. See if it’s really them.
5) When sending money, keep an eye open for alerts from the app.
Just recently, Venmo added a new feature, dynamic alerts, which helps protect people when sending money via the “Friends and Family” option. It pops up an alert if the app detects a potentially fraudulent transaction and includes info that describes the level of risk involved. In the cases of highly risky payments, Venmo might decline the transaction altogether. This adds another level of protection to Friends and Family payments, which are non-refundable in cases of fraud. Further, this underscores another important point about using Venmo: only pay people you absolutely know and trust.
More ways to stay safe on Venmo
Keep your transactions private. Venmo has a social component that can display a transaction between two people and allow others to comment on it. Payment amounts are always secret. Yet you have control over who sees what by adjusting your privacy settings:
Public – Everyone on the internet can see and comment on the transaction.
Friends – Only your Venmo friends and the other participant’s friends can see and comment on the transaction. (Note that the friends of the other participant might be strangers to you, so “friends and friends of friends” is more accurate here.)
Private – Here, only the participants can view and comment on the transaction.
This brings up the question, what if the participants in the transaction have different privacy settings? Venmo uses the most restrictive one. So, if you’re paying someone who has their privacy set to “Public” and you have yours set to “Private,” the transaction will indeed be private.
We suggest going private with your account. The less financial information you share, the better. You can set your transactions to private by heading into the Settings of the Venmo app, tapping on Privacy, and then selecting Private.
In short, just because something is designed to be social doesn’t mean it should become a treasure trove of personal data about your spending habits.
Add extra layers of security. Take extra precautions that make it difficult for others to access your Venmo app.
First off, lock your phone. Whether with a PIN or other form of protection, locking your phone prevents access to everything you keep on it, which is important in the case of loss or theft. Our own research found that only 58% of adults take the vital step of locking their phones. If you fall into the 42% of people who don’t, strongly consider changing that.
Within the Venmo app, you can also enable Face ID and a PIN (on iOS) or a PIN and biometric unlock (Android). These add a further layer of security by asking for identification each time you open the app. That way, even if someone gets access to your phone, they’ll still have to leap through that security hurdle to access your Venmo app.
Use a strong, unique password for your account. That’s a password with at least 13 characters using a mix of cases, numbers, and symbols that you don’t use anywhere else. You can also have a password manager do that work for you across all your accounts.
Keep your online finances even more secure with the right tools
For starters, it includes Web Protection and Scam Detector that can block malicious and questionable links that might lead you down the road to malware or a phishing scam, such as a phony Venmo link designed to steal your login credentials. It also includes a password manager that creates and stores strong, unique passwords for each of your accounts.
Moreover, it further protects you by locking down your identity online. Transaction Monitoring and Credit Monitoring help you spot any questionable financial activity quickly. And if identity theft unfortunately happens to you, up to $2 million in ID theft coverage & restoration can help you recover quickly.
A threat actor known as "888" has allegedly dumped sensitive LG Electronics data on ThreatMon (November 16, 2025). LG has not yet confirmed or denied these claims.
Attack Vector: The leak reportedly originated from a contractor access point, suggesting a supply chain compromise rather than direct breach of LG systems.
Threat Actor Profile: "888" has previously targeted Microsoft, BMW Hong Kong, Decathlon, and Shell. Typically monetizes through ransomware or selling data on breach forums. No public ransom demand in this case yet.
Technical Concerns: - Hardcoded credentials enable persistence and lateral movement - SMTP access could facilitate convincing phishing campaigns - Source code exposure may reveal vulnerabilities in LG IoT devices affecting millions of users globally
Related Context: LG Uplus (LG's telecom division) confirmed a separate breach in October 2025 during a wave of South Korean telecom attacks.
Verification Status: UNCONFIRMED - Awaiting official statement from LG Electronics.
Active Directory compromises, credential theft, lateral movement. See how identity-driven security policies stop breaches before attackers escalate privileges.
By plugging tens of billions of phone numbers into WhatsApp’s contact discovery tool, researchers found “the most extensive exposure of phone numbers” ever—along with profile photos and more.
FreshRSS 
