Uber hacked for third time in six months.

Apr 06 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s in the eye of the (cyber-)storm like Nicola Sturgeon. Seriously, they’re digging up her garden, y’all ????????????

Today’s hottest cyber security stories:

  • Uber hacked for third time in six months #FacePalm ????‍♂️
  • CryptoClippy steals your cryptos
  • Genesis (cybercrime) Market is far from its… genesis. #shutdown


Uber was yesterday the victim of yet another data breach; its third in six months. The Silicon Valley-based ride-hailing and food ordering app obviously needs to up its third-party game and protect its driver’s private info better!

Genova Burns, a mid-sized law firm in New Jersey has had to contact Uber drivers with its tail between its legs to inform them that their personal data has ONCE AGAIN been leaked. Embarrassing.

As mentioned, Uber’s been the target of hacks three times in six months, but to be clear, the others didn’t involve Genova Burns.

As far as we can tell, this latest leak seems to be limited to drivers operating in the New Jersey area and includes social security (National Insurance number, UK readers!) and tax identification numbers.

Credit where credit’s due: Genova Burns immediately hired a forensic team to investigate the data breach, informed authorities and promised to improve their security measures to prevent future hacks.

This is what Uber had to say about the breach: “These drivers have been notified that their social security number and/or tax identification number have been potentially impacted and offered complimentary credit monitoring and identity protection services.

“Genova Burns indicates that they are not aware of any actual or attempted misuse of the information and confirmed that they are taking additional steps to improve security and better protect against similar incidents in the future.” Phew!

Uber hack timeline:

  • September: Uber experienced another cybersecurity breach that led to the shutdown of its internal tools, communications, and engineering systems. The company attributed the attack to an affiliate of the Lapsus$ group.
  • December: Teqtivity, an IT asset management service used by Uber, was targeted in a cyberattack resulting in the leakage of corporate information including source code and IT asset management reports of over 77,000 Uber employees.
  • April: Genova Burns hack… We already told you about that one ????


This town ain’t big enough for the two of us Clippy. News flash folks, there’s a new Clippy in town (full name: CryptoClippy) and it’s got its beady little eyes on your precious cryptocurrency. If you’re in Portugal, that is.

It sneaks its way onto your system by way of a particularly malevolent malvertising campaign masquerading as WhatsApp’s web app.

Indeed, the scammers have employed SEO poisoning techniques to entice users searching for “WhatsApp web” (to be precise!) to rogue domains hosting the malware, Palo Alto Networks Unit 42 said in a new report published today.

Once installed, the malware gets to work messing about with your clipboard. Not to praise the sneaky you-know-whats but this is where it admittedly gets a bit clever.

The Old Switcharoo

The ClippyCrypto malware monitors victims’ clipboards (where things you ‘copy’ are stored) and when it detects that a cryptocurrency wallet address has been copied, it replaces that address with an address belonging to the scammers.

They know that if an address is being copied it most likely belongs to the victim and most likely is being copied in the process of funds being deposited into it. Make sense? Too bad, that’s as clear as we can make it.

Okay fine, here’s an expert (researchers from Unit 42) to explain: “The clipper malware uses regular expressions (regexes) to identify what type of cryptocurrency the address pertains to,” Unit 42 researchers said.

“It then replaces the clipboard entry with a visually similar but adversary-controlled wallet address for the appropriate cryptocurrency. Later, when the victim pastes the address from the clipboard to conduct a transaction, they actually are sending cryptocurrency directly to the threat actor.”

Yeah, like we said: The Old Switcheroo. Stay safe, amigos!


A global crackdown by law enforcement agencies has led to the closure of Genesis Market, one of the world’s largest criminal marketplaces used by online fraudsters to purchase passwords.

The marketplace sold login credentials, IP addresses, and other data that comprised the victims’ “digital fingerprints,” enabling criminals to access their bank and shopping accounts for as little as $1.

In coordinated raids carried out by law enforcement agencies from 17 countries, including the UK, 24 individuals suspected of using the site were arrested, including two men aged 34 and 36 in Grimsby, Lincolnshire, who are being held on suspicion of fraud and computer misuse.

The operation was led by the FBI and the Dutch National Police, with the involvement of the UK’s National Crime Agency, the Australian Federal Police, and numerous European countries.

More on this as the story unfolds!

So long and thanks for reading all the phish!

Recent articles