Your VPN Extension Might Be Watching You Right Now!

This week’s episode is packed with cyber scams, shady extensions, and even hackers opening floodgates at a dam in Norway. We’re talking about how censorship laws could reshape the internet, the UK quietly backing down in its Apple privacy fight, and a new infostealer campaign disguised as copyright warnings. Add in PayPal credential dumps, Workday’s social engineering breach, and Chrome extensions spying on users, and there’s plenty to dive into. Plus, we take a look at the latest SANS 2025 Security Awareness Report and what it means for awareness teams everywhere.

🎧 Listen on your favourite podcast platform - Spotify, Apple Podcasts and YouTube

Listen Now

Podcast · Risky Creative

Fake Copyright Emails Delivering Malware

Watch the discussion - https://youtu.be/Vcol4c93Eg8?t=670

Attackers are sending out spear-phishing emails that pretend to be legal threats from law firms over copyright or IP infringement. The emails look convincing, mentioning details like Facebook page IDs or company names, and urge recipients to download a file. That “PDF” is actually a disguised archive carrying the Noodlophile infostealer, which steals cookies, saved cards, and login credentials while hiding on the system.

Read more - https://www.helpnetsecurity.com/2025/08/18/noodlophile-infostealer-spear-phishing-campaign-copyright-infingement/

∠The Awareness Angle

• Fear as a Trigger – Legal threats create panic, pushing people to click quickly without questioning.

• Malware Masquerade – The file looks like a PDF but is really an installer that sideloads malware into trusted apps.

• Expanding Threat – This isn’t just hitting small creators anymore, it’s now targeting businesses worldwide.

Workday Breach via Social Engineering

Watch the discussion - https://youtu.be/Vcol4c93Eg8?t=1251

Workday, the HR and enterprise software provider, disclosed a breach after attackers posed as HR or IT staff over phone and text to trick employees into handing over credentials. The attackers accessed a connected CRM platform, exposing business contact details like names, emails, and phone numbers. While no sensitive HR or financial data was taken, those details can be weaponised in phishing and social engineering campaigns.

Read more - https://securityaffairs.com/181271/data-breach/human-resources-firm-workday-disclosed-a-data-breach.html

∠The Awareness Angle

• Social Engineering Wins – A simple call or text can bypass strong technical controls if trust isn’t questioned.

• Small Data, Big Risk – Even “just” names and emails can fuel convincing phishing or extortion attempts.

• Third-Party Weakness – Breach came through a connected CRM, highlighting supply chain and SaaS risks.

PayPal Credentials for Sale

Watch the discussion - https://youtu.be/Vcol4c93Eg8?t=1250

A cybercriminal claims to be selling 15.8 million PayPal logins in plain text for just $750. While researchers say it’s unlikely PayPal itself was breached, the data probably comes from infostealer malware logs that harvested credentials from infected devices. Even if many accounts are fake or outdated, the inclusion of PayPal login URLs makes it easier for attackers to launch automated credential stuffing and fraud attempts.

Read more - https://hackread.com/threat-actor-selling-plain-text-paypal-credentials/

∠The Awareness Angle

• Not a PayPal Breach – The danger comes from malware stealing credentials on personal devices, not PayPal’s systems.

• Password Reuse Problem – Recycled passwords could expose accounts on other services, not just PayPal.

• MFA is Essential – Multi-factor authentication remains the best defence if passwords are compromised.

Pro-Russian Hackers Breach Norwegian Dam

Watch the discussion - https://youtu.be/Vcol4c93Eg8?t=1929

Norway’s Police Security Service confirmed that pro-Russian hackers briefly seized control of a hydropower dam earlier this year. Attackers remotely opened floodgates, releasing 500 litres of water per second for four hours before being stopped. No damage occurred, but the hackers later posted video proof of the breach on Telegram to amplify fear. The attack highlights how critical infrastructure can be manipulated as part of hybrid influence campaigns rather than outright destruction.

Read more - https://securityaffairs.com/181143/hacktivism/norway-confirms-dam-intrusion-by-pro-russian-hackers.html

∠The Awareness Angle

• Not a PayPal Breach – The danger comes from malware stealing credentials on personal devices, not PayPal’s systems.

• Password Reuse Problem – Recycled passwords could expose accounts on other services, not just PayPal.

• MFA is Essential – Multi-factor authentication remains the best defence if passwords are compromised.

Do you have something you would like us to talk about? Are you struggling to solve a problem, or have you had an awesome success? Reply to this email telling us your story, and we might cover it in the next episode!

This Week's Discussion Points...

Censorship is going to destroy the internet
Watch | Read

UK backs down in Apple privacy row
Watch | Read

Noodlophile infostealer behind fake copyright notices
Watch | Read

15.8M PayPal credentials for sale
Watch | Read

Workday data breach via social engineering
Watch | Read

Android–iPhone messaging security upgrade
Watch | Read

Norway dam intrusion by pro-Russian hackers
Watch | Read

Chrome VPN extension spying on users
Watch | Read

Google patches critical Chrome flaw
Watch | Read

SANS 2025 Security Awareness Report
Watch | Read

NowTV anti-piracy ad
Watch | Read

Chipotle phishing simulation backlash
Watch | Read

📬 Subscribe to the Newsletter

https://www.riskycreative.com

Free Chipotle? It’s a Phish

Watch - https://youtu.be/Vcol4c93Eg8?t=3296

A viral Instagram video shows an employee falling for a simulated phishing email offering free Chipotle. She clicked the link, filled in her order, and turned up at work expecting lunch — only to discover it was a test. Instead of burritos, she got three hours of mandatory phishing training. While it makes for a funny video, it raises serious questions about how organisations run phishing campaigns. Humiliating staff and punishing them harshly for one mistake can backfire, creating resentment instead of awareness.

∠The Awareness Angle

• Humour or Harm? – Funny to watch, but heavy-handed training risks damaging trust with employees.

• Punishment vs Learning – Phishing simulations should build awareness, not embarrass staff.

• Better Approaches – Supportive feedback, coaching, and bite-sized training are more effective than punitive measures.

Watch it at - https://www.instagram.com/p/DNkKhYssbRW/

Thanks for reading! If you’ve spotted something interesting in the world of cyber this week — a breach, a tool, or just something a bit weird — let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.

Next podcast episode...

Days Hours Minutes Seconds