This week on The Awareness Angle - a US general leaves maps on a train. A Chrome extension with a million users and Google's own seal of approval was quietly skimming your shopping commissions for months. Companies House left a gap in their system for five whole months that anyone could exploit just by pressing the back button. Eight million crime tips that were promised to be anonymous turned out to be anything but. New Android malware is hiding in dodgy streaming apps and going straight for your notes. And Japan has decided it's time to start hitting back.
The full episode is an hour well spent. Watch on YouTube, listen on Spotify, Apple Podcasts, or wherever you get your podcasts. Ant and Luke give you straight talking cyber news for people who actually care about the human side of security.
Watch or listen to the episode today - YouTube | Spotify | Apple Podcasts
Visit riskycreative.com for past episodes, our blog, and our merch.
The deadline is the 3rd of April. Two weeks. Get your submission in
If you work in security awareness and you've got something worth saying, this is the room to say it in.
The SANS Workforce Security & Risk Training Security Awareness and Culture Summit Call for Presentations is open right now, and the deadline is Friday 3rd April at 5pm ET. The summit itself runs on the 27th and 28th of August in Las Vegas at Caesars Palace, and it is the biggest gathering of security awareness, behaviour and culture professionals on the planet. 13th year running.
The summit is looking for talks, research and case studies that focus on shifting not just behaviour, but attitudes and beliefs around cybersecurity. If you've got something that's worked in your organisation, something you've learned the hard way, or a genuinely new idea worth sharing with thousands of your peers, they want to hear from it.
And if you've never presented at a conference before, this is a brilliant place to start. Mentoring is available for first time speakers, so you won't be thrown in at the deep end on your own.
If Vegas isn't on the cards, that's not a reason to miss out either. You can present remotely, so there's really no barrier to getting involved.
Submit your proposal here. Get more information on the summit here.
This Week's Stories...
BREACH OF THE WEEK - The General, The Wine, and The Classified Maps
Major General Antonio Aguto Jr. was the man leading US military assistance efforts to Ukraine. In March 2024, he left classified maps on a Ukrainian train. Not because he was hacked, not because of a sophisticated cyberattack, but because he didn't follow the courier protocol that exists for exactly this reason. The documents sat on the train, unattended, until the US embassy retrieved them the following day.
Two months later, he got through the best part of two bottles of wine at a Kyiv dinner, sustained a concussion from the falls that followed, and showed up to meet Secretary of State Blinken the next morning. A 50-page Inspector General report, triggered by three anonymous complaints, covers the whole sorry story. He retired in August 2024.
We don't really care about the drinking. We care about the maps.
The Awareness Angle
- Procedure exists for a reason - The courier protocol wasn't red tape. It was the thing standing between classified documents and a Ukrainian train seat. Shortcuts under pressure are where breaches live.
- Impairment in high-trust roles - Organisations talk a lot about insider threats. They rarely talk about what happens when someone with top-level access simply has a bad night. Most have no real mechanism for catching it.
- Anonymous reporting worked here - Three complaints. That's all it took to open a 50-page investigation. Whistleblower channels work when people trust them enough to use them.
New Android malware is going through your notes
Here's one for anyone who keeps passwords in their Notes app. Researchers at ThreatFabric have found a new Android malware called Perseus, hiding inside apps that look like IPTV streaming services. Once it's on your device it does the usual - fake login screens, keylogging etc. But then it does something a bit different. It goes straight for Google Keep and Evernote, pulling out whatever's stored there. Passwords, financial details, account recovery phrases. The stuff people stick in notes because it's convenient.
Because IPTV apps are usually downloaded outside the Play Store, the people installing them are already in the habit of skipping the security checks. Perseus knows this.
The Awareness Angle
- Your notes app is not a password manager - Convenient, yes. Secure, no. Perseus proves attackers are actively targeting notes apps because they know that's where people hide things they shouldn't.
- Sideloading is where the risk lives - Apps outside official stores don't go through security checks. Using IPTV apps to watch football for free is exactly the kind of habit that ends with malware on your phone.
- Old malware never really dies - Perseus is built on Cerberus, a trojan whose source code leaked in 2020. Six years later it's back, repurposed and improved. Old threats get recycled. New actors pick them up.
672,000 people's bank data stolen, and they waited seven months to tell them
Marquis is a fintech company most people have never heard of. It serves over 700 banks and credit unions, handling their data analytics and marketing. In August 2025, it was hit by ransomware. Names, dates of birth, addresses, Social Security numbers, bank account details, card details, all gone. 74 banks disrupted. 36 class action lawsuits filed.
The people whose data was stolen found out seven months later.
Marquis has sued its firewall provider SonicWall, blaming a vulnerability in SonicWall's cloud backup service for giving the attackers a way in. SonicWall hasn't commented publicly.
The Awareness Angle
- Third-party vendors are a single point of failure - Most people whose data was in this breach had never heard of Marquis. Their bank used Marquis. That was enough. One supplier, hundreds of institutions, hundreds of thousands of people.
- Seven months is too long - Stolen financial data moves fast. The people affected spent seven months exposed without knowing it. Notification timelines matter.
- Suing your supplier doesn't help your customers - Marquis pointing the finger at SonicWall might play out in court. It doesn't change anything for the 672,000 people whose Social Security numbers are now out there.
Google Featured it. It was stealing from you.
"Save Image as Type" was a genuinely useful Chrome extension. Over a million users. A Featured badge from Google, the thing that's you'd assume meant it'd been checked and it's safe. Then it changed hands. The new owners quietly updated it with code that hijacked affiliate links, redirecting shopping commissions from Amazon, Adidas and Shein to themselves. The malicious behaviour only kicked in after you'd saved at least 10 images, specifically to avoid detection.
Microsoft Edge had removed the same extension a year earlier. Google kept featuring it until March 2026.
Anthony had it installed. He removed it live on air.
The Awareness Angle
- A Featured badge is not a safety guarantee - Google's own stamp of approval didn't catch this for months after Edge flagged it. Trust the badge less than you think you should.
- Extensions update themselves silently - The original extension was fine. Then it changed hands, the code changed, and nothing told you. That's the problem with extensions, you install them once and forget they exist.
- Browser extensions have sweeping access - This one only went after affiliate commissions. The same access could have harvested your passwords, injected malware, read everything you typed. Go through your extensions. Remove anything you don't actively use.
Phish Of The Week
Brought to you by the threat intelligence team at Hoxhunt
Emirates Airline Impersonation - Loyalty Reward Notification
This one's sneaky because it arrives from a real email address. noreply@campaign[.]eventbrite[.]com is a legitimate Eventbrite domain. Someone has simply set up an event on Eventbrite with Emirates branding and used the platform's mailing functionality to send the phish. The sender name reads "Emirates Millies" - RN rendered close together in certain fonts looks like M, a trick we've seen used against Microsoft too.
Inside: the Emirates logo, a loyalty reward of AED 498.20, and a link that deliberately won't open when clicked. That's not a bug. The attacker has disabled it because clickable links get scanned by security tools automatically. Copy and paste it manually and you land on a fake Emirates login page, credential harvesting in progress.
The Awareness Angle
- The sender name doesn't match the platform - Emirates doesn't send loyalty notifications via Eventbrite. Full stop.
- The link won't click - Deliberate. They want you to bypass your own security tools by doing the work manually.
- The body text uses disguised characters - Some letters are pulled from different character sets to slip past spam filters. If the text looks slightly off or inconsistent, trust that instinct.
This Week's Discussion Points
Former US general got drunk in Kyiv, left classified maps on a train Watch | Read
Crime Stoppers leak exposes millions of "anonymous" tips Watch | Read
New Android malware hiding in streaming apps to spy on users' personal notes Watch | Read
FBI seizes Handala data leak site after Stryker cyberattack Watch | Read
Marquis says over 672,000 people had personal and financial data stolen in ransomware attack Watch | Read
Companies House suspends filing service after five-month security glitch exposed directors' details Watch | Read
Popular Chrome extension "Save Image as Type" removed after hijacking affiliate links for months Watch | Read
Phish of the Week: Emirates Airline Impersonation Watch
SANS Security Awareness & Culture Summit 2026 - Call for Presentations Watch
Idris Elba's wax model unlocks his iPhone Watch | Read
Pete Tong reads out a URL like it's 1995 Watch | Read
Tinder plans to let AI scan your camera roll Watch | Read
Japan to allow proactive cyber defence from October 1st Watch | Read
And Finally...
Idris Elba's wax double unlocked his iPhone. A Madame Tussauds waxwork was a convincing enough likeness to fool Face ID. Which raises the question: what exactly is Face ID checking for? Watch
Pete Tong read out a full URL on BBC Radio 1. In 1995. A clip doing the rounds of Pete Tong carefully enunciating a web address, forward slashes and all. A lovely reminder of how different things were. We're at riskycreative.com, no index.html required. Watch
Tinder wants to scan your camera roll. The dating app is planning to let AI browse your locally stored photos to figure out your interests and build your profile. Gym selfies, family photos, sensitive documents, whatever's in there. Ant checked his. Apparently it's mostly dinosaurs and things he's selling on eBay. Watch | Read
Japan legalises hacking back. From October 1st, Japan's Self-Defense Forces and police can identify and disable infrastructure used to attack them. They're calling it "proactive cyber defence." In less polite places it's called offensive cyber ops. Either way, it's a significant shift for a country that's been constitutionally locked into a defensive posture since 1946. Watch | Read
Thanks for reading! If you’ve spotted something interesting in the world of cyber this week, a breach, a tool, or just something a bit weird, let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.
Ant Davis and Luke Pettigrew write this newsletter and podcast.
The Awareness Angle Podcast and Newsletter is a Risky Creative production.
All views and opinions are our own and do not reflect those of our employers.
