Cybercrims deploying DragonForce ransomware appear to have gained access to a major US services company's network, then spent two months up to no good while disguising their command-and-control activities as legitimate Microsoft Teams traffic. Researchers at security firm Symantec said the intrusion began with attackers gaining access to the victim's environment before deploying a custom Go-based backdoor, tracked as "Backdoor.Turn," to maintain communication with the compromised systems. Rather than reaching out to attacker-controlled infrastructure that might raise alarms, the backdoor hid its activity inside traffic associated with Microsoft's widely used collaboration platform. To anyone monitoring network traffic, the compromised systems appeared to communicate only with legitimate Microsoft servers. "The attackers in this campaign use exceptionally sophisticated cyber tradecraft," Symantec said. "The configuration of Backdoor.Turn means that security products only see C&C traffic going to legitimate Teams servers, leaving defenders unaware that data is being siphoned away by malicious actors." Symantec said the attackers installed Backdoor.Turn on systems after deploying DragonForce ransomware, potentially giving them a way back into compromised networks or access they could later sell to other criminals. To connect to Microsoft's infrastructure, the backdoor first requested an anonymous visitor token from Microsoft Teams and Skype back-end services. It then used a Microsoft-operated TURN relay server – infrastructure typically used to help establish communication between users – before establishing a direct QUIC connection to a malicious command-and-control server. Symantec said this is the first known case of malware using this particular technique. The security firm did not identify the victim beyond describing it as a major US services company, nor did it say whether the Teams-based communications channel had been observed in other DragonForce incidents. The ransomware operation has become increasingly prominent over the past year, operating a ransomware-as-a-service model that allows affiliates to conduct attacks under the DragonForce banner. It has been linked to the prolific Scattered Spider group, which has conducted a string of high-profile attacks, including intrusions targeting major retailers in the UK. While attackers have long abused legitimate cloud services to conceal malicious traffic, Symantec's findings suggest that DragonForce operators continue to look for ways to blend into the software and infrastructure that organizations trust most. ®

Heart monitoring biz iRhythm says thieves made off with patient health information and tried to turn it into a payday. The California-based cardiac monitoring specialist offers customers a wearable device that collects data, then analyzes it to create reports about heart health. The company said it detected unauthorized activity on June 8 and launched an investigation with the help of third-party cybersecurity experts. A day later, the company received messages from a cybercriminal claiming to have obtained sensitive information, including proprietary company data, protected health information, and other personal information. According to iRhythm's filing with the US Securities and Exchange Commission, the attackers demanded payment in exchange for not publicly disclosing the stolen data. The company confirmed that data had been exfiltrated and, on June 10, determined that the incident was material due to the volume of information potentially affected. While the company disclosed the extortion demand and the existence of stolen data, it made no mention of negotiations. iRhythm spent a good chunk of the filing explaining what the attackers didn't get. According to the company, the intrusion was confined to business applications and never reached its clinical systems, medical devices, or customer connections. Patient care and day-to-day operations were unaffected. The company has not yet disclosed how many individuals may be affected, what data was accessed, or which third-party-hosted applications were involved in the breach. It has also not identified the threat actor behind the attack, and The Reg has found no evidence of major ransomware groups claiming responsibility. The company's filing states the attackers gained access through social engineering. Exactly how that happened remains unclear, although healthcare organizations have increasingly found themselves dealing with phishing campaigns, help desk impersonation scams, and other forms of human-targeted intrusion designed to bypass technical defenses. As of the filing date, iRhythm said it had not identified any ongoing unauthorized access to its systems and believed the incident was unlikely to have a material impact on its financial condition or operating results. The company added that it maintains cyber insurance that may cover some of the losses associated with the breach. iRhythm's disclosure comes less than a week after drug giant Novo Nordisk revealed that attackers had copied patient data from some clinical trials, adding another healthcare name to a growing list of organizations dealing with data theft and extortion attempts. ®

Brits lost £1.28 billion ($1.7 billion) to payment fraud last year as scams continued to thrive on online platforms and telecoms networks, according to the latest figures from banking trade association UK Finance. The 2025 losses represent a modest four percent rise on the previous year, the trade association said, but the main sources of fraud remained familiar. UK Finance said two-thirds (66 percent) of incidents start with online platforms, such as scams promoted through social media adverts. Telecoms accounts for a smaller proportion (17 percent) but encompasses crimes such as impersonation fraud, which can result in larger per-crime losses. Calling for tighter regulations on tech and telecoms, UK Finance said online marketplaces must take measures to reduce scammers' use of their platforms. This could include prohibiting off-platform payments, relying solely on secure alternatives. It also called for stronger action against fraudulent social media advertising. "The financial sector invests huge amounts in protecting customers, but we cannot be the only line of defense," said Ruth Ray, managing director of economic crime at UK Finance. "Almost £1.3 billion was stolen again last year and it is clear we are not tackling the underlying problem effectively enough. "Given most authorized push payment (APP) fraud still starts via online tech platforms or via telecoms, we urgently need stronger, enforceable responsibilities to be placed on these sectors. This is the way to reduce the harm and stop criminals and tech companies profiting from these devastating crimes." APP fraud losses jumped 19 percent in 2025 compared with the year before. Total losses exceeded £576 million ($772.8 million), and consumers incurred the vast majority of these losses. Of the total cases, purchase scams comprised more than seven in ten, with annual losses increasing 20 percent to £118.1 million ($158.4 million). APP fraud involves convincing the victim to pay for something themselves, but the criminal giving the orders is the only party to financially benefit. Crimes that fall under the APP umbrella include investment fraud, romance fraud, and impersonation fraud – all of which saw double-digit percentage increases in case numbers. "What makes APP scams particularly worrying is how much can be lost before a victim even realizes, and how little advice still exists for consumers once it happens," said Aditya Hindocha, VP of account partnerships at SquareTrade Europe. "Device warranties largely won't cover data theft. Home insurance excludes digital losses. Banks may refund some fraudulent transactions, but there's no guarantee. Consumers today lack support for what comes next: restoring stolen funds, recovering a compromised identity, or navigating the months of fallout that follow." Unauthorized payment fraud, under which the remaining offenses fall, accounted for a higher value of total losses (£703.4 million/$943.8 million). While the total value of losses represents a decrease of five percent compared to 2024, the number of cases increased by 11 percent to 3.81 million, according to the latest report [PDF]. Unauthorized fraud encompasses offenses such as online payments made using stolen card details, lost or stolen card fraud (such as ATM skimming, petty card theft), remote banking fraud, and contactless fraud. US faring no better The Federal Trade Commission published figures this week for impersonation fraud in the US, which reached $3.5 billion in associated losses last year. It said that impersonation fraud was the most commonly reported fraud type last year, accounting for nearly one in three cases across 2025. Nearly $1 billion of the total was lost after scammers impersonated a business, with the most common type being banks, and around $920 million as a result of government impersonations, up from $866 million and $789 million respectively in 2024. According to the FBI's annual cybercrime report, published in April, government impersonation fraud saw the biggest increase in case numbers of all offenses, up 128 percent from 2023 to 2025. A separate warning from May 2025 urged citizens to be wary of the common tricks scammers use in these cases, which increasingly involve AI-generated voices to convince victims they are speaking with genuine government representatives. ®

Le parole del testimone

Una testimonianza “che ci ha fatto sobbalzare” spiega il conduttore ai telespettatori parlando di quanto riferito da un uomo che sarebbe stato nei pressi della villa di Via Pascoli il 13 agosto di 19 anni fa. “Abbiamo rintracciato questa persona e abbiamo chiesto di contestualizzare il perché di questa testimonianza” spiega Monteleone prima di trasmettere l’audio della sua conversazione con il testimone, il quale spiega come le sue parole siano state prese sotto gamba tutti, “ma io non ho detto una balla, perché ero lì quel giorno e quello che ho visto me lo ricordo benissimo. L’ho vista, aveva degli occhi spiritati che tu non hai idea e [ai Carabinieri, ndr] ho anche detto: ‘Mi ricordo i dettagli di una bicicletta nera, aveva i raggi che erano lucidi, sembrava una bicicletta nuova’”. “La certezza è una donna coi capelli biondi” lo incalza Monteleone, “Da uomo obiettivamente era una bella ragazza, è chiaro che l’ho osservata con una particolare attenzione”, replica il testimone. “E nella mia sit ho anche spiegato il perché ci ho messo tempo a dirlo. La cosa che mi fa venire il nervoso è che tanti parlano ma non sanno le cose e giudicano”.

“Mi hanno minacciato”

E ancora: “Io non sono di quel territorio, nonostante abiti in provincia di Pavia io non conosco veramente nessuno di Garlasco, non ho rapporti con nessuno. Mi sono sempre occupato di discoteche e di eventi quindi ero là per motivi di lavoro. Ricordo benissimo quello che ho visto, la persona che ho visto mi ha anche guardato, ci siamo guardati in faccia”. Il presunto testimone fa sapere di avere ricevuto minacce: “Sono stato anche minacciato per quello che ho detto, e ho avuto paura perché non so come facevano a sapere quello che ho detto. Mi hanno suonato il campanello di casa dicendomi di farmi i ca**i miei, che io di Garlasco non ne devo sapere niente”. L’uomo, confidandosi con il giornalista, si rammarica anche del fatto che le sue parole finora non siano state tenute in grande considerazione: “Ho fornito tutto e poi però nessuno ti ca*a. Sembra che quello che ho visto io… chi se ne frega. Mi rode dentro il fatto che nessuno si interessi di quello” conclude.

L'articolo Garlasco, spunta il testimone: “Ho visto una donna bionda, aveva degli occhi spiritati. Mi hanno minacciato dicendomi di farmi i ca**i miei” proviene da Il Fatto Quotidiano.