Author: Reporter

Can Your Photos Stored Online Cause Privacy Concerns

~ Reporter ~ Leave a comment

In this digital age, photos have become one of the most shared and stored types of content online. Whether it’s a picture shared on social media, an image saved to a cloud service, or even photos attached to an email, our personal images are all over the internet. While the convenience of online photo storage can’t be overstated, it also raises significant privacy concerns that many users might overlook. Let’s take a closer look at how photos stored online can potentially compromise your privacy and what you can do to protect your data.

1. Data Breaches and Hacks

One of the most obvious risks associated with online photo storage is the possibility of a data breach or hack. Cloud services, social media platforms, and photo storage apps all store vast amounts of personal information, and while many of these platforms have advanced security measures in place, they are still vulnerable to attacks. In fact, many high-profile hacks have resulted in the exposure of millions of personal images.

For example, in 2019, it was reported that a vulnerability in a popular cloud storage service exposed millions of photos, many of which were private and contained sensitive personal information. If hackers gain access to these platforms, your photos could be stolen, leaked, or used maliciously.

2. Facial Recognition and Tracking

As facial recognition technology becomes more sophisticated, photos you upload online can be used to track your movements and behaviors. Companies like Facebook and Google already use facial recognition technology to identify people in photos automatically. While this might seem harmless, the technology can also be exploited for surveillance purposes.

In some countries, authorities use facial recognition to monitor citizens’ activities. If your photos are stored on platforms that utilize this technology, it could make it easier for your identity to be tracked and monitored without your knowledge or consent. This poses a significant privacy risk, especially when combined with location data that may be embedded in your photos.

3. Metadata and Geolocation Risks

When you take a photo with your smartphone, metadata (such as the time, date, and GPS coordinates) is often automatically attached to the image. This metadata can be incredibly useful for photographers and app developers, but it can also be a privacy nightmare if the photo is uploaded without being stripped of this data.

For example, if you share a vacation photo on social media or cloud storage without removing the GPS coordinates, anyone who views the image can pinpoint your exact location. This can potentially expose sensitive information about where you live, work, or spend time. In some cases, geotagging can be used to track your routine or even determine when you’re away from home, increasing the risk of burglary or other malicious activity.

4. Third-Party Access

Many online platforms and services provide third-party developers with access to the images stored on their platforms. For example, when you allow apps to sync with your cloud storage or social media accounts, those apps often gain access to your photos for purposes such as automatic tagging, photo editing, or content sharing.

While some third-party apps and services may offer legitimate features, they could also have questionable privacy practices. Data could be shared without your consent, sold to marketers, or even used for unintended purposes. It’s essential to review the privacy policies of any app or service that accesses your photos and to adjust settings to limit what third parties can see or use.

5. Inadvertent Sharing

We’ve all been in a situation where we accidentally share a photo we didn’t mean to. Whether it’s a social media post, an email attachment, or an unprotected cloud folder, photos can easily be shared with a wider audience than intended. If a photo you uploaded privately to a service is mistakenly made public, it could cause significant privacy issues.

Some social media platforms and cloud services have “default” privacy settings that allow users to share content with a broader audience than they realize. For instance, many platforms automatically set new accounts to “public,” making anything you upload visible to everyone unless you adjust the settings. This puts your personal photos at risk of being viewed, downloaded, or even copied by anyone.

6. Lack of Control Over Stored Photos

When you store photos on third-party platforms, you essentially give up some degree of control over those images. Even if you delete a photo from your account, it may not actually be erased from the platform’s servers immediately or ever. Many cloud services retain copies of deleted content for a period, sometimes for backup or legal reasons, making it difficult to completely erase a photo from their systems.

Additionally, companies may change their policies or business practices over time. If a service goes bankrupt, is acquired, or undergoes a policy shift, your photos could end up in places you never intended or lose protection they once had.

How to Protect Your Photos and Privacy

Given these concerns, it’s crucial to take steps to protect your photos and privacy when storing images online:

• Use Encrypted Cloud Services: Choose cloud storage platforms that offer end-to-end encryption, ensuring that only you can access your photos.

Regularly Review Privacy Settings: Whether on social media, cloud storage, or apps, make sure you know and adjust the privacy settings. Limit who can see your photos and who can access them.

• Remove Metadata: Before uploading photos, strip the metadata, particularly location data, from the image to prevent accidental exposure of personal information.

•Enable Two-Factor Authentication (2FA): Use 2FA to add an extra layer of security to your online accounts, making it harder for hackers to access your data.

• Be Cautious with Third-Party Apps: Only grant trusted apps access to your photos and always check what permissions they require before granting access.

• Backup and Delete: If you don’t need a photo, delete it. And for photos that are important but not immediately necessary, consider storing them on a private offline backup device.

Conclusion

While storing photos online offers incredible convenience, it also comes with privacy risks that should not be ignored. From potential data breaches to unwanted facial recognition, the digital footprint your photos leave can expose much more about you than you might realize. By taking proactive steps to secure your photos and control who can access them, you can mitigate many of the privacy concerns associated with online storage. Always remember, with great convenience comes great responsibility when it comes to safeguarding your personal information.

The post Can Your Photos Stored Online Cause Privacy Concerns first appeared on Cybersecurity Insiders.

The post Can Your Photos Stored Online Cause Privacy Concerns appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/6Y0CdtZ
via IFTTT

Ransomware Resurgence: 5 Lessons from Healthcare’s Cyber Frontlines

~ Reporter ~ Leave a comment

Healthcare leaders are facing a mounting security crisis: More than two-thirds of healthcare organizations experienced ransomware attacks in 2024. Five of the top 10 ransomware attacks last year involved healthcare, and recovery costs averaged more than $2.5 million per incident. 

This resurgence of ransomware attacks on the industry is partly thanks to the spread of ransomware-as-a-service (RaaS), eliminating the need for advanced technical expertise to carry out attacks. Healthcare continues to be an attractive target due to its critical nature: when patient lives are at stake, health systems are more likely to pay the ransom to restore operations as quickly as possible.

Cybercriminals value patient data, such as medical histories, Social Security numbers, insurance details, and financial records. Often sold on the dark web, this data is more valuable than standard credit card information because of its usefulness in a wide range of fraudulent activities, such as identity theft, insurance fraud, and even blackmail.

While the increasing digitization of healthcare supports obvious benefits like efficiency and improved care, it unfortunately also creates more opportunities for cybercriminals. Many organizations still use legacy systems with significant security risks. Connected devices such as MRI machines, ventilators, and heart monitors often lack standard security controls or have critical software vulnerabilities that make them attractive entry points. Third-party vendors offering services related to billing, data storage, or other operations may also have cybersecurity gaps that ransomware attackers can exploit to gain access to healthcare systems.

Beyond the cost and the threat to data, ransomware attacks severely compromise healthcare systems’ ability to treat patients. Downtime and loss of access to critical information have profound and far-reaching effects on patient care and safety. The impact of a ransomware attack can include:

  • Delayed or canceled treatments. When systems are unavailable, hospitals may struggle to access patient records, schedule procedures, or conduct diagnostic tests, leading to delays in urgent care. An attack on Lurie Children’s Hospital in Chicago affected a wide range of operations, from prescription refills to scheduling, causing significant backlogs.
  • Diverted emergency services. Manchester Memorial Hospital in Connecticut was forced to send emergency care patients to other hospitals for more than two weeks after an attack rendered its systems inoperable.
  • Ripple effects across the healthcare ecosystem. The impact of ransomware extends beyond the affected facility to nearby hospitals and providers, overwhelming resources and negatively affecting patient care. One study found stroke code activations doubled, cardiac arrests increased by 81%, and EMS arrivals increased by 35.2% at nearby hospitals after a ransomware attack.
  • Financial impacts. An outage caused by ransomware at Change Healthcare, which provides revenue and payment cycle management services, prevented healthcare organizations from receiving insurance reimbursements. Unable to pay for operational expenses, many smaller practices faced potential closure — affecting not only the healthcare professionals and staff, but their patients and communities as well.

Given these devastating outcomes, you would think healthcare systems would waste no time bolstering their defenses. Yet the industry still lags behind others when it comes to implementing robust cybersecurity measures that can proactively fend off attacks or mitigate damage from ransomware. More than half of healthcare organizations report allocating less than 10% of their IT budget to cybersecurity.

Bolstering healthcare cybersecurity for evolving threats

 It’s time for healthcare leaders to start treating ransomware like what it is: a threat to patient safety and public health. Here are five strategic recommendations for proactively strengthening organizational resilience, securing data, and reducing disruptions caused by ransomware attacks.

  1. Undertake regular risk assessments. Organizations should conduct comprehensive investigations at least annually to identify and address weaknesses in their technology infrastructure and procedures. These should include penetration testing and other real-world exercises to uncover opportunities that automated tools might miss. 
  2. Strengthen defenses. Advanced cybersecurity tools and services can identify ransomware attacks via real-time monitoring and AI-based intelligence, which can quickly recognize unusual activities or behaviors. They can also automatically take action to contain or address threats, preventing significant damage before IT teams can step in.
  3. Train staff. Some of the most common entry points in security incidents are employees, who are targeted via phishing attempts or ploys to gain access to their credentials. In a fast-paced, high-pressure environment like a hospital, workers are even more vulnerable to phishing. Regular cybersecurity training helps them recognize up-to-date social engineering tactics and reinforces security awareness as a part of their job.
  4. Ensure backups are secure. Your system could be hit with ransomware at any time, so take steps to back up systems and data. 95% of healthcare organizations hit by ransomware in 2023 said that the attackers also attempted to compromise their backups, so follow the 3-2-1 rule: keep at least three copies of data on two types of media, with one copy stored offsite or in a secure cloud environment. Offline or air-gapped backups ensure there is always a clean copy for recovery. It’s also essential to regularly test backups and restoration processes to ensure data hasn’t been compromised, minimize downtime, and facilitate rapid recovery in a crisis.
  5. Implement access controls. Limiting remote access to systems, unless multi-factor authentication (MFA) is in place, helps prevent incursions from unauthorized users. Role-based access controls (RBAC) ensure users can only access systems and functions that are necessary for their job functions, so even if ransomware attackers gain access with employee credentials, the damage they can do is limited. Overall, healthcare organizations should implement a zero trust approach that continuously verifies all requests.

The ever-increasing sophistication of ransomware groups, and their relentless focus on exploiting vulnerabilities in healthcare systems, adds to the urgency of this issue. In the interconnected environment of modern healthcare, a single cyber incident can cascade to affect not just one healthcare system but organizations in an entire region.

Cybersecurity has become as critical to patient outcomes as medical equipment. Investing in solutions that proactively defend healthcare networks from intrusion, minimize potential damage, and ensure clean backups for operational continuity can help ensure healthcare organizations stay online and functional even in the face of accelerating cyber threats.

__

Tamra Durfee, vCISO, Fortified Health Security, is an experienced CISO with over 25 years in information security, compliance, regulatory risk, strategy, innovation, and technology transformation. For the past 8 years, she has specialized in healthcare cybersecurity and building risk-based medical device information security programs. She is a presenter at HIMSS, CHIME, CHA, and a healthcare security contributor to Healthcare IT News. Tamra holds certifications as a Certified Healthcare CIO (CHCIO), Certified Digital Healthcare Executive (CDH-E), GIAC Security Leadership Certification, Certified Professional in Healthcare Information Management Systems (CPHIMS), and IBM Certified Solutions Architect. 

The post Ransomware Resurgence: 5 Lessons from Healthcare’s Cyber Frontlines first appeared on Cybersecurity Insiders.

The post Ransomware Resurgence: 5 Lessons from Healthcare’s Cyber Frontlines appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/ezsBrYC
via IFTTT

Your Apps Are Leaking: Understanding and Preventing Mobile Data Exposure

~ Reporter ~ Leave a comment

In our hyperconnected world, mobile devices are no longer a convenience but central to how businesses operate and communicate. As organizations increasingly embrace mobility and bring-your-own-device (BYOD) policies, a hidden risk is quietly growing within the apps we rely on every day: mobile data leaks.

While many assume that breaches occur from malicious hacking attempts, a far more overlooked threat is the unintentional exposure of sensitive data due to misconfigured cloud services or weak cryptographic practices. This is not a hypothetical concern. In 2024 alone, over 1.7 billion individuals were impacted by personal data compromises, marking a 312% increase from the previous year. The financial toll? An estimated $280 billion.

Zimperium’s zLabs research team analyzed over 54,000 work-related mobile apps used by enterprise device fleets. Their findings reveal a disturbing reality that cloud misconfigurations and cryptographic flaws are widespread and, more importantly, preventable.

What Is a Mobile Data Leak?

A data leak occurs when sensitive information becomes unintentionally accessible to unauthorized individuals, often due to poor design, misconfiguration, or oversight in app development. Data breaches usually stem from deliberate, external attacks, and one of the main vehicles for these types of threats is attackers exploiting vulnerabilities that produce data leaks. 

Mobile apps that store data in the cloud or perform cryptographic operations are particularly opportunistic for such leaks. With mobile devices acting as both personal and business tools, the line between consumer and corporate data is increasingly blurred. This makes the implications of a mobile data leak even more severe, especially when it comes to personally identifiable information (PII), financial data, intellectual property, and corporate credentials.

Cloud Misconfigurations: Convenience With a Cost

Cloud services are widely adopted in mobile app development for their scalability and ease of use, but this convenience comes with a cost. Of the apps analyzed, 62% leveraged some form of cloud integration. Alarmingly, dozens of these were found to use cloud storage services without proper protection.

For example, over 100 Android apps were discovered with unprotected or misconfigured cloud storage. In several cases, entire file directories were accessible without authentication, some even ranked among the top 1,000 most downloaded apps. This means a malicious actor wouldn’t need sophisticated tools or insider knowledge, just a web browser and patience, to access sensitive enterprise data.

Additionally, 10 apps had exposed hardcoded AWS credentials, effectively handing attackers the keys to access or even manipulate data. These types of exposures not only compromise confidentiality but could also enable attackers to delete or encrypt data for ransom, simulating the impact of a ransomware attack without deploying malware.

Even major corporations are not immune. A recent case involving one of the world’s largest automotive manufacturers saw over 260,000 customer records exposed due to a simple cloud misconfiguration. It is evident that mobile security must be embedded from the ground up, not implemented after the fact.

Cryptography: A False Sense of Security (if done wrong)

Encryption is often viewed as a silver bullet for data protection, but not all encryption is implemented equal. zLabs’ research revealed that 88% of all analyzed apps, and nearly half of the top 100, use cryptographic methods that fail to meet industry best practices.

Common pitfalls include:

  • Hardcoded cryptographic keys
  • Outdated algorithms like MD2
  • Predictable random number generators
  • Reuse of the same encryption keys across multiple operations

These flaws could render encryption useless because if attackers can guess, retrieve, or reverse-engineer cryptographic keys, the data becomes exposed regardless of how well it is stored or transmitted. In some cases, cryptographic weaknesses open the door to deeper attacks on enterprise infrastructure, such as man in the middle attacks.

The Organizational Cost

The repercussions of mobile data leaks extend far beyond technical headaches as enterprises can face legal liability, reputational damage, and significant financial loss. Regulatory frameworks like GDPR, HIPAA, and others demand stringent data protection measures, and failing to comply can lead to detrimental penalties.The average cost of a data breach has risen to nearly $5 million per incident, with cloud misconfigurations and compromised credentials ranking among the most frequent root causes. These issues are not just IT problems, they are inherent business risks.

What Can Organizations Do?

Mobile data security begins with visibility, so it’s critical that organizations first understand the behavior of the apps operating within their environments. While they may not control third-party code, they can certainly control which apps are allowed on employee devices and under what conditions.

A proactive strategy includes cloud security checks to identify misconfigured or public-facing cloud storage, monitor for exposed credentials and API keys, and assess the security of integrated cloud services. This helps reduce the risk of unauthorized data access or leaks through cloud platforms.

Implementing cryptographic best practices is also essential. Organizations should validate that apps use modern, strong encryption algorithms and ensure proper key management by avoiding hardcoded keys. Additionally, it’s important to watch for weak or predictable random number generation that could compromise security.

Finally, third-party component vetting plays a crucial role. This involves evaluating the security of embedded SDKs and libraries, as well as tracking and responding to known vulnerabilities in third-party code. By staying vigilant and selective with the software components used, organizations can strengthen their mobile security posture.

Ultimately, security teams must adopt a mindset of continuous monitoring and risk assessment. Mobile threat defense solutions and app vetting tools are essential for ensuring that employees’ devices don’t become backdoors into enterprise systems.

Mobile devices and apps are here to stay since they are powerful, portable, and indispensable to modern business. But with their ubiquity comes responsibility as data doesn’t leak on its own with poor security practices letting it slip through the cracks. As organizations embrace the flexibility of mobile work, they must also adopt rigorous standards for app security.

 

The post Your Apps Are Leaking: Understanding and Preventing Mobile Data Exposure first appeared on Cybersecurity Insiders.

The post Your Apps Are Leaking: Understanding and Preventing Mobile Data Exposure appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/QbxRUCD
via IFTTT

CISO Global Shifts to SaaS Cybersecurity Platform

~ Reporter ~ Leave a comment

Leading cybersecurity provider CISO Global (NASDAQ: CISO) is entering a new phase of growth, pivoting toward high-margin, recurring-revenue software offerings that complement its managed and professional services. According to a recent Zacks report, the company has launched multiple proprietary software platforms, including its AI-driven Argo Security Management platform, and expects significant revenue growth driven by recurring software sales. After restructuring its go-to-market strategy and consolidating 20+ acquisitions, CISO Global projects improved margins and a more scalable revenue model in 2025.

Strategic Pivot: From Services to Software-Led Security

At the core of CISO Global’s recent announcements is a fundamental business model shift. For years, the company grew rapidly through more than 25 acquisitions, assembling a diversified portfolio of managed services, incident response, and consulting capabilities. But services alone are notoriously hard to scale. The move to develop proprietary platforms like Argo signals a deliberate step toward SaaS-driven margins and recurring revenue stability.

Argo, CISO’s flagship security management platform, appears to be central to this transition. It leverages AI to streamline threat detection and response workflows, likely integrating telemetry from customers’ existing security stacks. While details are limited, the platform’s focus on centralized visibility and orchestration suggests it may function similarly to extended detection and response (XDR) models—but tailored for mid-market clients without large SecOps teams.

Notably, CISO Global reported $57.4 million in revenue in 2023, with over 50% tied to managed and recurring offerings. This is important. The company isn’t just launching software; it’s converting existing service relationships into subscription-based platform engagements. That gives it a built-in upsell path, reducing customer acquisition costs and deepening account stickiness—both critical for margin expansion.

The report also signals a clear shift in leadership focus. CEO David Jemmett has stepped into a new role as Chief Strategy Officer, making room for new executives better suited to scale this next chapter. Strategic realignments like this often hint at a company preparing to be measured not just on top-line growth, but on operational metrics like gross margin, customer retention, and ARR growth rate.

Zooming Out: Industry Trends and Competitive Pressure

CISO Global’s evolution is part of a larger movement across the cybersecurity landscape: MSSPs and consulting-heavy vendors are increasingly building or acquiring software IP to escape the margin squeeze of labor-intensive services. We’ve seen this before—Palo Alto Networks transitioned from appliances to cloud-delivered security, and Mandiant (pre- and post-Google) has flirted with similar hybrid models mixing IR with platform technology.

The recurring revenue model CISO is targeting is more than just a financial goal—it’s a response to customer demand. In the wake of SaaS sprawl, security leaders are looking for fewer vendors who can offer toolchain consolidation, streamlined dashboards, and built-in threat intelligence. Platforms like Argo potentially offer mid-sized enterprises a way to get “just enough” of an XDR/SIEM/SOAR experience without hiring a squad of engineers to manage it.

The timing is also aligned with significant external pressures. The SEC’s cybersecurity disclosure rules, effective as of late 2023, are pushing boards and executives to demand more continuous, auditable visibility into their risk posture. That visibility can’t be delivered through consulting alone—it needs centralized, always-on platforms. Regulatory scrutiny has effectively created a commercial tailwind for vendors with dashboardable, metrics-driven solutions.

Also worth noting: CISO Global’s increased investment in recurring software comes at a time when investor expectations are shifting. The report highlights that gross margins on software sales can reach 70–80%, compared to services margins that often cap out around 30–40%. As cybersecurity valuations compress across public markets, investors are rewarding companies that prioritize durable, high-margin revenue streams over raw top-line growth.

A Strategic Move with Tactical Consequences

For cybersecurity leaders watching this space, the lesson isn’t just about following CISO Global’s trajectory—it’s about understanding the broader shift in what buyers are asking for and what vendors are trying to become. As more providers launch hybrid models—bundling consulting with proprietary platforms—CISOs need to sharpen their scrutiny. Are you buying expert hands, or just renting access to another dashboard?

Security buyers should also ask tough questions about integration, data portability, and lock-in. A platform like Argo may offer real value in visibility and orchestration, but only if it plays well with your existing stack and doesn’t become another silo. And for vendors, the takeaway is clear: if you’re services-heavy today, the pressure is on to deliver software that not only generates revenue, but demonstrably reduces customer risk.

The post CISO Global Shifts to SaaS Cybersecurity Platform first appeared on Cybersecurity Insiders.

The post CISO Global Shifts to SaaS Cybersecurity Platform appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/2g35Urk
via IFTTT

PowerSchool customers hit by downstream extortion threats

~ Reporter ~ Leave a comment

Five months after education software vendor PowerSchool paid an unnamed threat actor a ransom in exchange for the deletion of sensitive stolen data, some of the company’s customers are now receiving extortion demands. 

A threat actor, who may or not be the same criminal group behind the attack, has contacted four school district customers of PowerSchool in the past few days, CyberScoop has learned, threatening to leak data if they don’t pay. 

The downstream extortion attacks highlight the ongoing risk organizations confront when a vendor is hit by a cyberattack, exposing not just their data but also that of others in their supply chain. The follow-on extortion attempts also underscore that paying ransoms for data does not guarantee stolen data won’t be leaked.

“PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident,” a company spokesperson said Wednesday in a statement. “We do not believe this is a new incident, as samples of the data match the data previously stolen in December.”

The company did not say how much it paid in ransom. “We made the decision to pay a ransom because we believe it to be in the best interest of our customers and the students and communities we serve,” the spokesperson said. 

“We thought it was the best option for preventing the data from being made public, and we felt it was our duty to take that action,” the spokesperson added. “As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”

PowerSchool provides a suite of cloud-based software — including a student information system — to K-12 schools and districts, supporting more than 60 million students and 18,000 customers in over 90 countries. The company says its customers include more than 90 of the 100 largest school districts in the United States. 

The company identified suspicious activity in the PowerSchool Student Information System on Dec. 28 of last year. CrowdStrike, which already provided endpoint detection-and-response software and a threat-hunting service to PowerSchool, began an investigation into the circumstances behind the attack the following day.

The unnamed attacker gained access to PowerSchool’s system with a compromised credential for a support user in the company’s PowerSource support portal. The level of access granted to a support technician includes “sufficient permissions to gain access to customer SIS database instances for maintenance purposes,” CrowdStrike said in an investigation report it released in late February. 

The threat stole data from the “teachers” and “students” tables of the PowerSchool SIS instances for certain PowerSchool customers between Dec. 19 and Dec. 23, according to CrowdStrike’s report. The incident response firm said it found no evidence of system-layer access or malware, and nothing to indicate PowerSchool customer IT environments outside of PowerSource and PowerSchool SIS were compromised or at risk of intrusion due to the attack.

CrowdStrike found evidence of earlier unauthorized activity in the PowerSchool environment associated with the compromised support credentials between Aug. 16 and Sept. 17, but it couldn’t attribute this activity to the threat actor responsible for the malicious activity in December 2024.

The last evidence of threat actor activity occurred Dec. 28, when the attacker “used the compromised support credentials to log in to the maintenance interface of PowerSource to interact with PowerSchool SIS,” CrowdStrike said in the report.

PowerSchool customers have contacted the company to inform it of the recent extortion demands and threats. 

“We have reported this matter to law enforcement both in the United States and in Canada, and are working closely with our customers to support them,” the company spokesperson said. “We sincerely regret these developments — it pains us that our customers are being threatened and re-victimized by bad actors.”

The post PowerSchool customers hit by downstream extortion threats appeared first on CyberScoop.

from CyberScoop https://ift.tt/Y1S0HTP
via IFTTT

Pakistani Firm Shipped Fentanyl Analogs, Scams to US

~ Reporter ~ Leave a comment

A Texas firm recently charged with conspiring to distribute synthetic opioids in the United States is at the center of a vast network of companies in the U.S. and Pakistan whose employees are accused of using online ads to scam westerners seeking help with trademarks, book writing, mobile app development and logo designs, a new investigation reveals.

In an indictment (PDF) unsealed last month, the U.S. Department of Justice said Dallas-based eWorldTrade “operated an online business-to-business marketplace that facilitated the distribution of synthetic opioids such as isotonitazene and carfentanyl, both significantly more potent than fentanyl.”

Launched in 2017, eWorldTrade[.]com now features a seizure notice from the DOJ. eWorldTrade operated as a wholesale seller of consumer goods, including clothes, machinery, chemicals, automobiles and appliances. The DOJ’s indictment includes no additional details about eWorldTrade’s business, origins or other activity, and at first glance the website might appear to be a legitimate e-commerce platform that also just happened to sell some restricted chemicals

A screenshot of the eWorldTrade homepage on March 25, 2025. Image: archive.org.

However, an investigation into the company’s founders reveals they are connected to a sprawling network of websites that have a history of extortionate scams involving trademark registration, book publishing, exam preparation, and the design of logos, mobile applications and websites.

Records from the U.S. Patent and Trademark Office (USPTO) show the eWorldTrade mark is owned by an Azneem Bilwani in Karachi (this name also is in the registration records for the now-seized eWorldTrade domain). Mr. Bilwani is perhaps better known as the director of the Pakistan-based IT provider Abtach Ltd., which has been singled out by the USPTO and Google for operating trademark registration scams (the main offices for eWorldtrade and Abtach share the same address in Pakistan).

In November 2021, the USPTO accused Abtach of perpetrating “an egregious scheme to deceive and defraud applicants for federal trademark registrations by improperly altering official USPTO correspondence, overcharging application filing fees, misappropriating the USPTO’s trademarks, and impersonating the USPTO.”

Abtach offered trademark registration at suspiciously low prices compared to legitimate costs of over USD $1,500, and claimed they could register a trademark in 24 hours. Abtach reportedly rebranded to Intersys Limited after the USPTO banned Abtach from filing any more trademark applications.

In a note published to its LinkedIn profile, Intersys Ltd. asserted last year that certain scam firms in Karachi were impersonating the company.

FROM AXACT TO ABTACH

Many of Abtach’s employees are former associates of a similar company in Pakistan called Axact that was shut down by Pakistani authorities for fraud in 2015. Axact met its demise not long after The New York Times ran a front-page story about the company’s most lucrative scam business: Hundreds of sites peddling fake college degrees and diplomas.

People who purchased fake certifications were subsequently blackmailed by Axact employees posing as government officials, who would demand additional payments under threats of prosecution or imprisonment for having bought fraudulent “unauthorized” academic degrees. This practice created a continuous cycle of extortion, internally referred to as “upselling.”

“Axact took money from at least 215,000 people in 197 countries — one-third of them from the United States,” The Times reported. “Sales agents wielded threats and false promises and impersonated government officials, earning the company at least $89 million in its final year of operation.”

Dozens of top Axact employees were arrested, jailed, held for months, tried and sentenced to seven years for various fraud violations. But a 2019 research brief on Axact’s diploma mills found none of those convicted had started their prison sentence, and that several had fled Pakistan and never returned.

“In October 2016, a Pakistan district judge acquitted 24 Axact officials at trial due to ‘not enough evidence’ and then later admitted he had accepted a bribe (of $35,209) from Axact,” reads a history (PDF) published by the American Association of Collegiate Registrars and Admissions Officers.

In 2021, Pakistan’s Federal Investigation Agency (FIA) charged Bilwani and nearly four dozen others — many of them Abtach employees — with running an elaborate trademark scam. The authorities called it “the biggest money laundering case in the history of Pakistan,” and named a number of businesses based in Texas that allegedly helped move the proceeds of cybercrime.

A page from the March 2021 FIA report alleging that Digitonics Labs and Abtach employees conspired to extort and defraud consumers.

The FIA said the defendants operated a large number of websites offering low-cost trademark services to customers, before then “ignoring them after getting the funds and later demanding more funds from clients/victims in the name of up-sale (extortion).” The Pakistani law enforcement agency said that about 75 percent of customers received fake or fabricated trademarks as a result of the scams.

The FIA found Abtach operates in conjunction with a Karachi firm called Digitonics Labs, which earned a monthly revenue of around $2.5 million through the “extortion of international clients in the name of up-selling, the sale of fake/fabricated USPTO certificates, and the maintaining of phishing websites.”

According the Pakistani authorities, the accused also ran countless scams involving ebook publication and logo creation, wherein customers are subjected to advance-fee fraud and extortion — with the scammers demanding more money for supposed “copyright release” and threatening to release the trademark.

Also charged by the FIA was Junaid Mansoor, the owner of Digitonics Labs in Karachi. Mansoor’s U.K.-registered company Maple Solutions Direct Limited has run at least 700 ads for logo design websites since 2015, the Google Ads Transparency page reports. The company has approximately 88 ads running on Google as of today. 

Junaid Mansoor. Source: youtube/@Olevels․com School.

Mr. Mansoor is actively involved with and promoting a Quran study business called quranmasteronline[.]com, which was founded by Junaid’s brother Qasim Mansoor (Qasim is also named in the FIA criminal investigation). The Google ads promoting quranmasteronline[.]com were paid for by the same account advertising a number of scam websites selling logo and web design services. 

Junaid Mansoor did not respond to requests for comment. An address in Teaneck, New Jersey where Mr. Mansoor previously lived is listed as an official address of exporthub[.]com, a Pakistan-based e-commerce website that appears remarkably similar to eWorldTrade (Exporthub says its offices are in Texas). Interestingly, a search in Google for this domain shows ExportHub currently features multiple listings for fentanyl citrate from suppliers in China and elsewhere.

The CEO of Digitonics Labs is Muhammad Burhan Mirza, a former Axact official who was arrested by the FIA as part of its money laundering and trademark fraud investigation in 2021. In 2023, prosecutors in Pakistan charged Mirza, Mansoor and 14 other Digitonics employees with fraud, impersonating government officials, phishing, cheating and extortion. Mirza’s LinkedIn profile says he currently runs an educational technology/life coach enterprise called TheCoach360, which purports to help young kids “achieve financial independence.”

Reached via LinkedIn, Mr. Mirza denied having anything to do with eWorldTrade or any of its sister companies in Texas.

“Moreover, I have no knowledge as to the companies you have mentioned,” said Mr. Mirza, who did not respond to follow-up questions.

The current disposition of the FIA’s fraud case against the defendants is unclear. The investigation was marred early on by allegations of corruption and bribery. In 2021, Pakistani authorities alleged Bilwani paid a six-figure bribe to FIA investigators. Meanwhile, attorneys for Mr. Bilwani have argued that although their client did pay a bribe, the payment was solicited by government officials. Mr. Bilwani did not respond to requests for comment.

THE TEXAS NEXUS

KrebsOnSecurity has learned that the people and entities at the center of the FIA investigations have built a significant presence in the United States, with a strong concentration in Texas. The Texas businesses promote websites that sell logo and web design, ghostwriting, and academic cheating services. Many of these entities have recently been sued for fraud and breach of contract by angry former customers, who claimed the companies relentlessly upsold them while failing to produce the work as promised.

For example, the FIA complaints named Retrocube LLC and 360 Digital Marketing LLC, two entities that share a street address with eWorldTrade: 1910 Pacific Avenue, Suite 8025, Dallas, Texas. Also incorporated at that Pacific Avenue address is abtach[.]ae, a web design and marketing firm based in Dubai; and intersyslimited[.]com, the new name of Abtach after they were banned by the USPTO. Other businesses registered at this address market services for logo design, mobile app development, and ghostwriting.

A list published in 2021 by Pakistan’s FIA of different front companies allegedly involved in scamming people who are looking for help with trademarks, ghostwriting, logos and web design.

360 Digital Marketing’s website 360digimarketing[.]com is owned by an Abtach front company called Abtech LTD. Meanwhile, business records show 360 Digi Marketing LTD is a U.K. company whose officers include former Abtach director Bilwani; Muhammad Saad Iqbal, formerly Abtach, now CEO of Intersys Ltd; Niaz Ahmed, a former Abtach associate; and Muhammad Salman Yousuf, formerly a vice president at Axact, Abtach, and Digitonics Labs.

Google’s Ads Transparency Center finds 360 Digital Marketing LLC ran at least 500 ads promoting various websites selling ghostwriting services . Another entity tied to Junaid Mansoor — a company called Octa Group Technologies AU — has run approximately 300 Google ads for book publishing services, promoting confusingly named websites like amazonlistinghub[.]com and barnesnoblepublishing[.]co.

360 Digital Marketing LLC ran approximately 500 ads for scam ghostwriting sites.

Rameez Moiz is a Texas resident and former Abtach product manager who has represented 360 Digital Marketing LLC and RetroCube. Moiz told KrebsOnSecurity he stopped working for 360 Digital Marketing in the summer of 2023. Mr. Moiz did not respond to follow-up questions, but an Upwork profile for him states that as of April 2025 he is employed by Dallas-based Vertical Minds LLC.

In April 2025, California resident Melinda Will sued the Texas firm Majestic Ghostwriting — which is doing business as ghostwritingsquad[.]com —  alleging they scammed her out of $100,000 after she hired them to help write her book. Google’s ad transparency page shows Moiz’s employer Vertical Minds LLC paid to run approximately 55 ads for ghostwritingsquad[.]com and related sites.

Google’s ad transparency listing for ghostwriting ads paid for by Vertical Minds LLC.

VICTIMS SPEAK OUT

Ms. Will’s lawsuit is just one of more than two-dozen complaints over the past four years wherein plaintiffs sued one of this group’s web design, wiki editing or ghostwriting services. In 2021, a New Jersey man sued Octagroup Technologies, alleging they ripped him off when he paid a total of more than $26,000 for the design and marketing of a web-based mapping service.

The plaintiff in that case did not respond to requests for comment, but his complaint alleges Octagroup and a myriad other companies it contracted with produced minimal work product despite subjecting him to relentless upselling. That case was decided in favor of the plaintiff because the defendants never contested the matter in court.

In 2023, 360 Digital Marketing LLC and Retrocube LLC were sued by a woman who said they scammed her out of $40,000 over a book she wanted help writing. That lawsuit helpfully showed an image of the office front door at 1910 Pacific Ave Suite 8025, which featured the logos of 360 Digital Marketing, Retrocube, and eWorldTrade.

The front door at 1910 Pacific Avenue, Suite 8025, Dallas, Texas.

The lawsuit was filed pro se by Leigh Riley, a 64-year-old career IT professional who paid 360 Digital Marketing to have a company called Talented Ghostwriter co-author and promote a series of books she’d outlined on spirituality and healing.

“The main reason I hired them was because I didn’t understand what I call the formula for writing a book, and I know there’s a lot of marketing that goes into publishing,” Riley explained in an interview. “I know nothing about that stuff, and these guys were convincing that they could handle all aspects of it. Until I discovered they couldn’t write a damn sentence in English properly.”

Riley’s well-documented lawsuit (not linked here because it features a great deal of personal information) includes screenshots of conversations with the ghostwriting team, which was constantly assigning her to new writers and editors, and ghosting her on scheduled conference calls about progress on the project. Riley said she ended up writing most of the book herself because the work they produced was unusable.

“Finally after months of promising the books were printed and on their way, they show up at my doorstep with the wrong title on the book,” Riley said. When she demanded her money back, she said the people helping her with the website to promote the book locked her out of the site.

A conversation snippet from Leigh Riley’s lawsuit against Talented Ghostwriter, aka 360 Digital Marketing LLC. “Other companies once they have you money they don’t even respond or do anything,” the ghostwriting team manager explained.

Riley decided to sue, naming 360 Digital Marketing LLC and Retrocube LLC, among others.  The companies offered to settle the matter for $20,000, which she accepted. “I didn’t have money to hire a lawyer, and I figured it was time to cut my losses,” she said.

Riley said she could have saved herself a great deal of headache by doing some basic research on Talented Ghostwriter, whose website claims the company is based in Los Angeles. According to the California Secretary of State, however, there is no registered entity by that name. Rather, the address claimed by talentedghostwriter[.]com is a vacant office building with a “space available” sign in the window.

California resident Walter Horsting discovered something similar when he sued 360 Digital Marketing in small claims court last year, after hiring a company called Vox Ghostwriting to help write, edit and promote a spy novel he’d been working on. Horsting said he paid Vox $3,300 to ghostwrite a 280-page book, and was upsold an Amazon marketing and publishing package for $7,500.

In an interview, Horsting said the prose that Vox Ghostwriting produced was “juvenile at best,” forcing him to rewrite and edit the work himself, and to partner with a graphical artist to produce illustrations. Horsting said that when it came time to begin marketing the novel, Vox Ghostwriting tried to further upsell him on marketing packages, while dodging scheduled meetings with no follow-up.

“They have a money back guarantee, and when they wouldn’t refund my money I said I’m taking you to court,” Horsting recounted. “I tried to serve them in Los Angeles but found no such office exists. I talked to a salon next door and they said someone else had recently shown up desperately looking for where the ghostwriting company went, and it appears there are a trail of corpses on this. I finally tracked down where they are in Texas.”

It was the same office that Ms. Riley served her lawsuit against. Horsting said he has a court hearing scheduled later this month, but he’s under no illusions that winning the case means he’ll be able to collect.

“At this point, I’m doing it out of pride more than actually expecting anything to come to good fortune for me,” he said.

The following mind map was helpful in piecing together key events, individuals and connections mentioned above. It’s important to note that this graphic only scratches the surface of the operations tied to this group. For example, in Case 2 we can see mention of academic cheating services, wherein people can be hired to take online proctored exams on one’s behalf. Those who hire these services soon find themselves subject to impersonation and blackmail attempts for larger and larger sums of money, with the threat of publicly exposing their unethical academic cheating activity.

A “mind map” illustrating the connections between and among entities referenced in this story. Click to enlarge.

GOOGLE RESPONDS

KrebsOnSecurity reviewed the Google Ad Transparency links for nearly 500 different websites tied to this network of ghostwriting, logo, app and web development businesses. Those website names were then fed into spyfu.com, a competitive intelligence company that tracks the reach and performance of advertising keywords. Spyfu estimates that between April 2023 and April 2025, those websites spent more than $10 million on Google ads.

Reached for comment, Google said in a written statement that it is constantly policing its ad network for bad actors, pointing to an ads safety report (PDF) showing Google blocked or removed 5.1 billion bad ads last year — including more than 500 million ads related to trademarks.

“Our policy against Enabling Dishonest Behavior prohibits products or services that help users mislead others, including ads for paper-writing or exam-taking services,” the statement reads. “When we identify ads or advertisers that violate our policies, we take action, including by suspending advertiser accounts, disapproving ads, and restricting ads to specific domains when appropriate.”

Google did not respond to specific questions about the advertising entities mentioned in this story, saying only that “we are actively investigating this matter and addressing any policy violations, including suspending advertiser accounts when appropriate.”

From reviewing the ad accounts that have been promoting these scam websites, it appears Google has very recently acted to remove a large number of the offending ads. Prior to my notifying Google about the extent of this ad network on April 28, the Google Ad Transparency network listed over 500 ads for 360 Digital Marketing; as of this publication, that number had dwindled to 10.

On April 30, Google announced that starting this month its ads transparency page will display the payment profile name as the payer name for verified advertisers, if that name differs from their verified advertiser name. Searchengineland.com writes the changes are aimed at increasing accountability in digital advertising.

This spreadsheet lists the domain names, advertiser names, and Google Ad Transparency links for more than 350 entities offering ghostwriting, publishing, web design and academic cheating services.

KrebsOnSecurity would like to thank the anonymous security researcher NatInfoSec for their assistance in this investigation.

For further reading on Abtach and its myriad companies in all of the above-mentioned verticals (ghostwriting, logo design, etc.), see this Wikiwand entry.

from Krebs on Security https://ift.tt/pf2HWQv
via IFTTT