Shein shoppers watch out for this scam.

Mar 08 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that hits different like snow in the UK in March.

Today’s hottest cyber security stories:

  • Hacked is the new black. Shein’s app transmits clipboard data
  • I smell a CapraRAT! Cupid’s swapped his bow and arrow and for a phishing rod
  • Egg on (f)Acer. Electronics giant confirms breach


Popular China-based budget fashionwear site Shein potentially had its Android app hacked when it became apparent that customer’s clipboard data was being transmitted to a remote server.

What’s in your clipboard? Your clipboard is where data that you’ve copied is stored. As you can imagine, clipboards often contain sensitive information such as usernames and passwords.

We’re not just talking about your inside leg measurement or dress size here, folks! The potential for damage is fairly substantial.

Shein, originally named ZZKKO (can see why they changed that!), is a Chinese online ‘fast fashion’ retailer based in Singapore. Its UK distribution headquarters is in Reading, England.

The app, which is currently at version 9.0.0, has over 100 million downloads on the Google Play Store. It was last season’s (geddit?) app that had the bug, though: version 7.9.2, to be exact.

Keep your apps updated, peeps!

Shein had the following to say, regarding the possible hack: “We’re not specifically aware of any malicious intent behind the behaviour.”

The good news is the Microsoft 365 Defender Research Team discovered the problem and the issue has since been addressed as of May 2022.

However, researchers Dimitrios Valsamaras and Michael Peck acknowledged: “Leveraging clipboards can enable attackers to collect target information and exfiltrate useful data.”

Careful what you clipboard, folks. It’s a jungle out there!


When looking for love, it’s important to be on the lookout for love rats. In this case, it’s capraRAT you need to be weary of. So, what’s the scoop?

Basically, Pakistani Android users are being targeted by a Pakistan-aligned advanced persistent threat (APT) group known as Transparent Tribe with a backdoor called CapraRAT.

Lovestruck fools are being lured by a honeytrap offensive wherein would be victims are digitally wined and dined, before being pressured to install the malware-laced apps under the pretext of ‘secure’ (ironic) messaging and calling.

Enter, the offending application that leaves its visitors with more than just broken hearts.

As many as 150 victims, likely with military or political leanings, are estimated to have been targeted with this exploitative phishing app.

What becomes of the broken-hearted, eh? Remember, when embroiled in international espionage… Keep it in your bloody pants!

What, like James Bond? Hmm good point ????


One user of a well-known cybercrime forum called BreachForums this week gleefully proclaimed: “Today I’m selling a leaked collection of various confidential stuff from Acer ????”

The hacker, who calls himself Kernelware, has a good reputation on BreachForums where the data was offered for sale; he claims the data was stolen in mid-Ferbrurary.

He bragged: “Honestly, there’s so much shit that it’ll take me days to go through the list of what was breached lol.”

If he’s to be believed, the leak contains a total of 160GB of 655 directories, and 2869 files. Quite a haul!

Acer has responded by downplaying the incident. It said: “We have recently detected an incident of unauthorized access to one of our document servers for repair technicians.

“While our investigation is ongoing, there is currently no indication that any consumer data was stored on that server.”

Kernelware said they’ll only accept Monero (XMR) cryptocurrency as payment for the loot and will only sell via a middleman.

There’s no asking price, just a note telling prospective buyers to private message with offers.

Monero cryptocurrency has become the go-to for cybercriminals thanks to its superior privacy and anonymity.


So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles