News Heading - 1

Data Breach: US Retailer Hot Topic Discloses Multiple Cyberattacks

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer

Retail chain Hot Topic notified its customers that it was a victim of a series of credential-stuffing attacks. The wave of attacks which took place between February 7 to June 21,2023, resulted in the exposure of various sensitive information of customers.

Established in 1988, Hot Topic is an American retailer specializing in licensed music and counterculture-related apparels and accessories. With around 10,000 employees, the company operates both brick-and-mortar (600+ across the US) and online stores.

On August 1, the company notified its customers about the data breach incident wherein stolen account credentials was used to access its Rewards platform. The automated attack against both the website and mobile application was launched several times, earlier this year.

‘’Following a careful investigation, we determined that unauthorized parties launched automated attacks against our website and mobile application on February 7, March 11, May 19-21, May 27-28, and June 18-21, 2023, using valid account credentials (e.g., email addresses and passwords),’’ the notification read.

The attack allowed the unknown hackers to potentially steal personal information of customers including their name, order history, phone number, email address, month and date of birth, and mailing address. The company also revealed that the last 4 digits of the card saved to the compromised account may have been accessed by the unauthorized parties as well.

Following the investigation into the incident, the retailer clarified that it was not the source of the utilized account credentials.

Hot Topic also stated that on discovering the incident, it had launched several containment measures including working with third-party cybersecurity experts. Various security measures were also deployed to safeguard the website and mobile application from automated ‘’credential-stuffing’’ attacks.

Moreover, Hot Topic disclosed that it was unable to differentiate between unauthorized and legitimate logins, so through emails it was notifying all Rewards customers about the incident. To avoid phishing attacks, the customers were also advised to change and choose a strong and unique password for their Rewards account.

News Heading - 2

FraudGPT: Rise of a New AI-Driven Malicious Chatbot

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer

A new AI generative tool ‘’’FraudGPT’’ is being advertised across dark web marketplaces and Telegram channels since July 22, 2023.

The new malware discovered by security researchers at Netenrich is reportedly designed to help cybercriminals in their malicious activities. Although the specific large language model (LLM) used to develop the tool is currently unknown. It is cleverly designed to help attackers craft spear phishing emails and pages, write malicious codes, create undetectable malware, find vulnerable markets and websites, and offer tutorials on hacking.

‘’If you’re looking for a ChatGPT alternative designed to provide a wide range of exclusive tools, features and capabilities tailored to anyone’s individual needs with no boundaries then look no further,’’ advertised the attacker on Telegram.

The threat actor identified by the cybersecurity company was earlier seen as an established vendor on various dark web marketplaces, like EMPIRE, WHM, VERSUS, TORREZ, WORLD, and ALPHABAY. However, to avoid the problems associated with such marketplace exit scams, the vendor established his presence on Telegram to offer his uninterrupted services.

Netenrich investigation revealed that FraudGPT is being offered as a subscription service, starting from $200 a month, or $1,000 for six months, or $1,700 per year. The tool also boasts confirmed sales and reviews of more than 3,000.

According to security experts, release of AI generative tools like FraudGPT and WormGPT is a rising concern for governments and organizations across the world. These malicious alternatives to ChatGPT can be a powerful tool in the hands of expert criminals and tech novices looking to target individuals and organizations for espionage or financial gains.

To detect and combat such AI-enabled phishing, it is essential that organizations offer advanced security awareness as well as phishing behavior change training across various departments.

‘’Implementing a defense-in-depth strategy with all the security telemetry available for fast analytics has become all the more essential to finding these fast-moving threats before a phishing email can turn into ransomware or data exfiltration,’’ noted the advisory.