This could be the scariest scam in a while.

May 09 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that doesn’t take unauthorised holidays like Messi. #goat

Today’s hottest cyber security stories:

  • QR code scan scams syphon savings… Scariest scam in a while, this
  • Twitter admits private NSFW ‘Circle’ tweets were exposed by hack… Juicy
  • Iranian spies dubbed ‘Charming Kitten’ drop ‘BellaCiao’ malware. Cybercrime, amiright?


To be fair, folks, it was fancy Taiwanese bubble tea. Just kidding. So, a poor woman scanned a fake QR code and filled out a survey with hopes of earning herself a ‘free cup of milk tea’, as per the sign on the window of bubble tea shop. So far, so good.

Only problem is the ‘offer’ was a particularly nasty and incredibly deceptive phishing attack so instead of a nice cup of bubble tea (or maybe as well as… but still!), $20,000 was stolen from her bank account while she slept. Can you f*cking imagine?

In order to fill out the survey, she’d downloaded a dodgy app which sat peacefully on her home screen alongside Deliveroo, Uber, and TikTok; that is, until nighttime, when this previously dormant app lit up and began dismantling this unfortunate Singapore woman’s life. Terrifying is an understatement.

“Enticed by what seemed like a good deal, the 60-year-old scanned the QR code on the sticker and downloaded a third-party app onto her Android phone to complete the ‘survey,'” reports Straits Times.

Mr. Beaver Chua, head of anti-fraud at OCBC Bank’s group financial crime compliance department, who relayed the news of the victim to local media calls the scam particularly ‘insidious’.

“This scam is so insidious because scammers take over the victim’s phone. And because victims lose control of their Internet banking account, they won’t even know when their savings have been completely wiped out,” says Mr. Chua.

UK and US readers BEWARE!

We know what you’re thinking, that’s absolutely awful but it happened in Singapore so do I need to be worried? Unfortunately, the answer is yes.

Over here in the west, the scam has taken the form of fake parking tickets with, you guessed it, QR codes.

“I know everyone hates getting citations in San Francisco. Scammers are getting more BOLD!! Issuing fake parking citations!! FYI: parking in SF is regulated by SFMTA, it will never have a city logo on a citation !! Please watch out , if you received one like this , toss it out because the QR code links to your bank account,” warns the user, who has shared the picture of the fake citation:

So, be careful out there, potentially illegally parked motorists, and remember: If in doubt, customers should verify a parking citation or legal correspondence on the official websites of the government bodies.


Oh boy, Twitter has really outdone itself this time! They’ve accidentally published some tweets that were never meant to be seen by anyone except the poster’s closest friends.

Talk about a privacy breach! And what’s worse, they’ve been denying it for weeks, but finally had to come clean.

Apparently, Twitter’s Circles feature was supposed to be the solution to all our problems. You could make an exclusive list of friends and post tweets that only they could see. It’s like Instagram’s Close Friends setting, but for people who want to share their private thoughts, explicit images, or unprofessional statements without risking their reputation with the wider world.

But it looks like that plan didn’t work out too well. Twitter has now admitted that tweets have escaped this containment and made their way into the public eye. Oopsie!

In an email to affected users, they apologised for a “security incident” that occurred earlier this year. Translation: someone messed up and now everyone knows your deepest, darkest secrets.

Time to start damage control!


It looks like our friends in Iran have been up to some cyber espionage shenanigans. They’ve been infecting Microsoft Exchange Servers with a new malware implant called BellaCiao.

Nope, it’s not a catchy Italian tune, it’s actually a dropper for additional payloads. Who knew malware could be so musical?

According to Bitdefender, these attackers are like the ultimate personalised gift-givers. They customise their attacks for each victim, including the malware binary itself, which contains some pretty specific information like company name, custom subdomains, and IP addresses.

They even organise their victims into folders by country code! It’s like they’re running a dodgy cyber espionage version of a post office.

The group responsible for all this fun is known as Charming Kitten (cute right?), APT35, or Phosphorus. Apparently, they’re a hacking team operated by the Islamic Revolutionary Guard Corps, which is a branch of the Iranian military.

Microsoft has recently reported that Charming Kitten has been targeting US critical infrastructure, which sounds pretty serious. They’re going after seaports, energy companies, transit systems, and even a major utility and gas entity. Yikes!

Doesn’t sound very charming or cute to us…

So long and thanks for reading all the phish!

Recent articles