Infosec In Brief Police in the Netherlands arrested two 17-year-olds last week over claims that Russian intelligence recruited them to spy on the headquarters of European law enforcement agencies.

According to Dutch media, on August 16 authorities observed one of the teenagers carrying a "Wi-Fi sniffer" near the headquarters of Europol and the EU criminal investigation agency Eurojust, and near the Canadian embassy. The National Public Prosecutor’s Office confirmed the arrests but declined to provide further details, citing the age of the defendants.

Police released one of the youths – with an ankle monitor – but the other suspect will remain in custody for 14 days. The latter was arrested while doing his homework, his father told Dutch newspaper De Telegraaf, when officers with search warrants entered their home and seized electronic equipment, saying they wanted him for "providing services to a foreign power."

"He doesn’t go out, he has a job at a supermarket, and shows no interest in exploring the world," the father said. "We raise our kids to be prepared for dangers like smoking, vaping, alcohol, and drugs – but not for something like this. Who could ever anticipate it?"

Germany's Federal Criminal Police Office for one, as it recently launched a public-information campaign named "Don't become a disposable agent" to warn that Russia is recruiting spies on social media.

Thieves get ready to score in FIFA fraud explosion

Fraudsters have set up over 4,300 domains mimicking official sites for the FIFA 2026 World Cup football tournament, which kicks off in June 2026.

The domains use names related to the tournament and cities hosting matches in the US, Canada, and Mexico, and offer facilities to buy and trade tickets, or watch live streams of matches.

Security shop Check Point last week found over 4,300 fraudulent football domains, 1,500 of which appeared in a four-day period during August.

Check Point believes a small number of entities created the sites as part of a coordinated campaign. Buyers registered most of the domains with GoDaddy, Namecheap, Gname, Dynadot, and Porkbun, which Check Point believes the fraudsters targeted because each allows bulk domain purchases.

"The evidence points to a pre-activation fraud ecosystem that is already functional and awaiting the moment of exploitation. Mitigation must therefore begin now rather than in 2026," Check Point said. "Continuous monitoring of FIFA+year+city combinations in multiple languages should be prioritized, with registrar partnerships enabling rapid takedowns of synchronized domain bursts."

The scammers mostly registered .com domains, but also tried .online, .shop, .store, and .football. Some of the domains use terms related to the 2030 and 2034 World Cups, suggesting these operators are trying to gain long-term legitimacy with search engines to enable future fraud.

There's also an interesting aspect to the languages used in the operation. Streaming scammers, who promise footage but then push malware onto visitors, primarily target at English speakers. Domains using Spanish and Portuguese terms target merchandise and ticket fraud.

• Suspected Chinese cybersnoop grounded in Italy after US tipoff
• US govt IT help desk techie 'leaked top secrets' to foreign nation
• Back of the net? Google's DeepMind is coming for football tactics
• AI Octopus predicts results of Euro 2024: It isn't looking good for England

US federal agency’s GeoServer attacked

The Cybersecurity and Infrastructure Security Agency last week disclosed a chain of errors that let attackers hack a federal agency and said that users of the open source GeoServer geographic information system (GIS) need to get patching.

On July 11 last year attackers exploited a flaw in GeoServer that had been disclosed only 11 days before and used it to download malware designed to scan and move through the unnamed agency's network. On July 24 they used the same technique on a second system running GeoServer and then moved malware onto a separate SQL server.

"On each server, they uploaded (or attempted to upload) web shells such as China Chopper, along with scripts designed for remote access, persistence, command execution, and privilege escalation," CISA said in an advisory. "The cyber threat actors also used living off the land (LOTL) techniques."

China Chopper is a venerable web shell that was initially used by Middle Kingdom meddlers, but whose use has spread to other state-sponsored attackers and criminal groups. The speed with which bad faith actors exploited the flaw after patch publication suggests a highly motivated attack.

Despite warning signs, the agency’s security software didn’t spot the problem until July 31, after malware on the infected SQL server was spotted trying to transfer data, and investigators later discovered two other compromised systems.

CISA investigators concluded that the federal agency missed a security alert and lacked an incident response plan (IRP) and was therefore slow to isolate infected servers.

Creating an IRP, and practicing it, is infosec 101. The fact a government agency didn’t have one is concerning.

CISA didn't name and shame the agency, just saying it was a "federal civilian executive branch" operation, which includes the US departments of Justice, Commerce, and the Interior, as well as the FTC and NASA.

Interpol claws back $439M from online criminals

Police actions in 40 countries recovered nearly half a billion dollars, global law enforcement agency Interpol reports.

Operation HAECHI VI took place between April and August this year and targeted funds stolen by business email compromise (BEC), voice phishing, romance scams, and money laundering operations. Police recovered $342 million in cash and another $97 million in confiscated physical property, blocked over 68,000 bank accounts and frozen almost 400 cryptocurrency wallets.

In one case involving a group of Thai and West African operators, local authorities seized $6.6 million after the group carried out a BEC scam against a "major Japanese corporation," convincing it to transfer the funds to a fictitious Thai business. In a similar case, Korean police recovered nearly $4 million after fraudsters tricked a local steel company into sending funds to Dubai on the evidence of forged shipping documents.

"While many people believe that funds lost to fraud and scams are often irretrievable, the outcomes of HAECHI operations demonstrate that recovery is indeed possible," said Theos Badege, director pro tempore of Interpol’s Financial Crime and Anti-Corruption Centre.

"As one of Interpol’s flagship financial crime operations, HAECHI is a prime example of how global cooperation can protect communities and safeguard financial systems. We encourage more member countries to join us in this collective effort."

The agency’s Global Rapid Intervention of Payments system drove much of the operation’s success, Interpol said. The system is designed to race after purloined funds and block transactions down the line, and since its launch in 2022 has been used to recover millions in ripped-off resources.

• Cyber threat-sharing law set to shut down, along with US government
• UK and US security agencies order urgent fixes as Cisco firewall bugs exploited in wild
• Interpol bags 1,209 suspects, $97M in cybercrime operation focused on Africa
• Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump

SaaS industry sets app security testing rules

The increasing prevalence of security incidents across SaaS ecosystems has prompted an attempt to standardize settings to lock down security holes.

A July survey found that 74 per cent of companies had a SaaS-related security incident in the last year, a rise of 33 per cent, even though 91 per cent of respondents said they felt satisfied with their cloud security posture. Disturbingly, such attacks were often possible due to poorly managed permissions (41 per cent) and misconfiguration of security standards (29 per cent.)

To address such problems, the Cloud Security Alliance (CSA) last week published a set of metrics, dubbed the SaaS Security Capability Framework (SSCF), that set out common standards for SaaS security.

"The SSCF addresses the critical gap in existing risk management processes," said the proposal's lead author Brian Soby, CTO at AppOmni.

"It goes beyond generic security certifications like SOC 2 and ISO 27001 by defining the customer-facing, configurable security controls that every SaaS application should provide. Without a clear standard for what security teams can and should be able to manage, it’s a wild west of missing or inconsistent controls, duplicated efforts, and risk."

However, the plan is voluntary and the number of attacks against SaaS platforms is increasing. This has an element of horses and stable gates, but the proposals are worth considering. The CSA SSCF working group is now looking for feedback on the proposals. ®