Canary Trap’s Bi-Weekly Cyber Roundup
Happy New Year and welcome to the first edition of the “Bi-Weekly Cyber Roundup” by Canary Trap in 2025. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity, and this bi-weekly publication is your gateway to the latest news.
The year 2025 starts of with a variety of developments: the U.S. identifies a 9th telecom company targeted by the Salt Typhoon cyber-espionage group, a massive data breach exposes over 765,000 users of a senior dating platform, and a novel exploit dubbed “DoubleClickjacking” bypasses protections on major websites. Additionally, new details emerge on hackers hijacking 35 Google Chrome extensions, while the global community anticipates the next steps for a controversial cybercrime treaty recently adopted by the U.N.
- US Adds 9th Telecom Company to List of Known Salt Typhoon Targets
The U.S. government has revealed that a Chinese espionage campaign has compromised nine American telecommunications companies, according to the National Security Advisor for Cyber and Emerging Technology. This adds one more victim to the previously known list of eight companies targeted in the operation, dubbed “Salt Typhoon.” The breach involved unauthorized access to unclassified communications, including those of senior U.S. government officials and high-profile political figures, as well as metadata belonging to an undetermined number of Americans.
The additional company was identified following federal guidance to telecom firms, outlining the methods used by Chinese attackers and providing instructions for detection. While the Chinese government denies involvement, the intrusion has raised bipartisan concern in Congress and calls for stronger cybersecurity measures.
The administration has proposed a range of policy responses, including a Federal Communications Commission (FCC) rule requiring telecom providers to implement and report cybersecurity practices annually. Noncompliance could lead to fines. Neuberger emphasized the importance of network segmentation to limit the damage of potential breaches, citing an instance where attackers gained extensive access to a telecom network through a single compromised administrator account.
The full extent of the breach may never be known, as attackers erased evidence of their activities, and companies lacked sufficient logging practices. To bolster defenses, the FCC is urged to enforce baseline cybersecurity requirements across the industry. Neuberger also highlighted efforts by the General Services Administration to enhance security standards in government contracts and ongoing discussions at the Commerce Department regarding a ban on China Telecom.
Additional measures are expected in the coming months as the U.S. government intensifies its response to this critical threat.
- Massive Data Breach Hits Senior Dating Website, Exposing Over 765,000 Users
The dating platform Senior Dating, which caters to individuals over 40, has suffered a significant data breach, exposing the personal information of 765,517 users. The breach was attributed to an unsecured Firebase database, raising concerns about safeguarding sensitive user data in other online matchmaking services.
The compromised data includes a range of personal details such as email addresses, profile photos, genders, birth dates, geographic locations, Facebook account links, and information about drinking and smoking habits, education, occupations, and relationship statuses. This level of detailed exposure creates a heightened risk for identity theft, fraud, and other malicious activities.
The breach, dated November 23, 2024, became publicly known after its addition to the Have I Been Pwned (HIBP) database on December 9, 2024. Alongside Senior Dating, a related platform, ladies.com, was also impacted. Both websites were taken offline immediately following the discovery.
Cybersecurity experts warn of the potential for phishing, stalking, and targeted attacks stemming from the breach. Users are strongly advised to change passwords immediately, especially if they have reused the same credentials across multiple accounts. Implementing unique, strong passwords across platforms can mitigate the risk of further exposure. Additionally, users are advised against sharing sensitive information such as passwords, Social Security numbers, or credit card details via email. Scammers may exploit knowledge from the breach to craft convincing phishing attempts through emails, phone calls, or messaging apps.
Reviewing and updating privacy settings on social media platforms is critical, along with considering subscription services that monitor financial accounts for unusual activity. While the platforms involved in the breach have shut down, users should remain alert to prevent further exploitation of their personal data.
- New “DoubleClickjacking” Exploit Bypasses Clickjacking Protections on Major Websites
Security researchers have revealed a new vulnerability class, termed “DoubleClickjacking”, which exploits a double-click sequence to enable clickjacking attacks and account takeovers on major websites. This technique bypasses known protections, such as X-Frame-Options headers and SameSite cookie settings, by taking advantage of the timing gap between the two clicks involved in a double-click action.
In a typical clickjacking attack, a malicious website deceives users into clicking on seemingly harmless elements, which then trigger malware or data theft. DoubleClickjacking enhances this approach by exploiting the interval between the first and second click of a double-click to bypass security defenses. The attack works as follows:
- A user visits an attacker-controlled site, which opens a new browser window (or tab) with little to no user interaction, often disguised as a benign task like a CAPTCHA.
- The window prompts the user to double-click to complete a task, such as confirming a step.
- During the second click, the parent site uses JavaScript to redirect the user to a malicious page, such as granting access to a harmful OAuth application.
- The attacker then closes the top window, causing the user to unintentionally approve the malicious action.
This new technique presents a challenge to current security measures, which are typically designed to detect and block single-click attacks. Protections like X-Frame-Options, SameSite cookies, and Content Security Policy (CSP) settings are ineffective against DoubleClickjacking because the vulnerability capitalizes on the timing of the double-click action.
To mitigate the risk, website owners can implement a client-side fix that disables critical buttons until a user performs a specific action, such as a mouse gesture or key press. Some services, such as Dropbox, have already adopted such preventive measures.
For a more permanent solution, researchers suggest that browser vendors develop standards similar to X-Frame-Options to specifically defend against double-click exploitation.
- After UN Adoption, Controversial Cybercrime Treaty’s Next Steps Could Prove Vital
A contentious United Nations cybercrime treaty, viewed by some as a potential threat to human rights, has moved to the ratification stage after being adopted by the U.N. General Assembly. While the treaty aims to combat cybercrime by fostering international cooperation, including evidence sharing. Critics warn of its implications for privacy and freedom of expression, given its broad definitions and flexibility in implementation.
For the treaty to take effect, 40 nations must ratify it, a process that could take years and faces significant hurdles, particularly in the United States, where Senate approval requires a two-thirds majority. The U.S. Mission to the U.N. has emphasized that its support hinges on how nations apply the treaty while upholding human rights and legal protections.
The treaty’s scope includes serious crimes punishable by at least four years in prison, which could lead to controversial international cooperation requests. For example, in Russia, defaming the military carries a sentence of up to 15 years, potentially triggering treaty provisions. Despite such concerns, safeguards were incorporated into the treaty, stating that implementation must align with international human rights laws.
While critics, including civil rights groups, argue that the treaty could be misused to target journalists and dissidents, proponents highlight its potential to enhance global enforcement and harmonize legal frameworks. U.S. and European leaders aim to ensure its application adheres to democratic principles, with calls for nations to safeguard rights related to speech, political dissent, and identity.
U.N. Secretary-General António Guterres lauded the treaty as a testament to effective multilateralism, urging all nations to adopt and responsibly implement it to promote a secure cyberspace. However, its long-term impact will depend on how member states balance cybersecurity goals with protecting fundamental freedoms.
- New Details Reveal How Hackers Hijacked 35 Google Chrome Extensions
New insights have surfaced about a targeted phishing operation compromising at least 35 Chrome extensions, including one from cybersecurity firm Cyberhaven. The attackers injected data-stealing code into these extensions, affecting a user base of approximately 2.6 million people.
The campaign reportedly began in early December 2024, though traces of related malicious activity date back to March 2024. Developers reported receiving phishing emails claiming their extensions violated Chrome Web Store policies. These emails redirected recipients to a convincing phishing page mimicking Google’s legitimate platform, tricking them into granting access to their Chrome Web Store accounts via a malicious OAuth application named “Privacy Policy Extension.”
The phishing attack used OAuth’s authorization process, bypassing multi-factor authentication (MFA) safeguards. Victims unknowingly allowed attackers to edit and update their extensions directly. Once access was gained, the threat actors injected malicious files—`worker.js` and `content.js’, designed to extract sensitive Facebook user data, including IDs, access tokens, and account details. The compromised extensions were then updated and republished as new versions on the Chrome Web Store.
Analysis of the malicious code revealed its intent to monitor user interactions on Facebook, capturing CAPTCHA or QR code images tied to the platform’s two-factor authentication. This allowed attackers to bypass 2FA protections and seize control of targeted accounts. Exfiltrated data, including cookies and mouse click events, were sent to the attackers’ command-and-control server.
Evidence suggests the campaign was extensive, with pre-registered domains linked to numerous extensions, even if the developers did not fall for the phishing scam. These domains were mostly created in late 2024, though testing for the attack began much earlier.
The attackers appear focused on Facebook business accounts, exploiting them for unauthorized payments, running disinformation campaigns, or selling account access on the dark web.
This campaign points out the critical need for heightened vigilance among developers, especially when dealing with unexpected requests or policy notifications.
References:
https://therecord.media/nine-us-companies-hacked-salt-typhoon-china-espionage
https://informationsecuritybuzz.com/data-breach-hits-senior-dating-website/
https://thehackernews.com/2025/01/new-doubleclickjacking-exploit-bypasses.html