This month focuses on the INTERPOL-led ‘Operation Red Card’, the top WordPress Vulnerabilities targeted by attackers in Q1 2025, and the new advanced Phishing-as-a-Service platform Morphing Meerkat.
INTERPOL’s ‘Operation Red Card’ Targets African Cybercriminal Networks
African law enforcement agencies arrested 306 individuals in a major cybercrime crackdown led by INTERPOL, called Operation Red Card, between November 2024 and February 2025.
Summary
- Authorities confiscated 1,842 devices used in scams involving mobile banking, investment fraud, and messaging app schemes linked to over 5,000 victims.
- INTERPOL facilitated information exchange between Benin, Côte d’Ivoire, Nigeria, Rwanda, South Africa, Togo, and Zambia, using criminal intelligence from Group-IB, Kaspersky, and Trend Micro.
- Nigeria’s Major Crackdown: 130 individuals (including 113 foreign nationals) were arrested for investment fraud and online casino scams, with illicit earnings hidden in digital assets. Some detained individuals were possible human trafficking victims. Overall, the investigation led to the seizure of 26 vehicles, 16 houses, 39 plots of land, and 685 devices.
- Zambian Cybercrime Gang Exposed: Authorities arrested 14 suspects who used malware-infected links to hack victims’ phones, take over messaging and banking apps, and spread scams.
- SIM Box Fraud in South Africa: Law enforcement arrested 40 individuals, seizing 53 computers and over 1,000 SIM cards used in rerouting international calls as local ones, facilitating large-scale SMS phishing attacks.
- Rwandan Scam Network Busted: 45 suspects were arrested for social engineering scams, defrauding victims of over $305,000 in 2024, impersonating telecom staff and fake injured relatives seeking financial aid.
- Neal Jetton, INTERPOL’s Director of the Cybercrime Directorate, emphasized that the arrests and asset recoveries send a strong message that cybercriminals will face justice.
- In a previous INTERPOL Operation named Operation Serengeti (Sept–Oct 2024), 1,006 suspects were arrested for ransomware, digital extortion, BEC, and online scams.
- As part of Operation Africa Cyber Surge II (April 2023), INTERPOL disrupted over 20,000 cybercrime networks involved in phishing, extortion, and BEC, preventing over $40 million in losses.
- Read more about it here.
Most Targeted WordPress Plugin Vulnerabilities in Q1 2025
A new report highlights four critical WordPress plugin vulnerabilities that hackers actively exploited in Q1 2025. These vulnerabilities were discovered and patched in 2024, but many sites remain unpatched, allowing attackers to execute arbitrary code or steal data.
Summary
- CVE-2024-27956 – SQL Injection in WordPress Automatic Plugin: A SQL injection vulnerability in the WordPress Automatic Plugin (40,000+ installs) allows unauthenticated attackers to run SQL queries via the CSV export feature. Wallarm first detected active exploitation in May 2024, and Patchstack blocked 6,500+ attacks this year.
- CVE-2024-4345 – File Upload Exploit in Startklar Elementor Addons Plugin: This vulnerability (5,000+ installs) allowed attackers to upload malicious executable files due to missing file type validation. Patchstack blocked thousands of attacks.
- CVE-2024-25600 – Remote Code Execution in Bricks Theme: This flaw (30,000+ installs) let unauthenticated users execute PHP commands through a REST API route due to weak permission checks. Patchstack and Wordfence detected active exploitation in February 2024 and blocked hundreds of attacks.
- CVE-2024-8353 – PHP Object Injection in GiveWP Plugin: Affecting 100,000+ installs, this vulnerability allowed attackers to take over sites via insecure deserialization of donation parameters. Patchstack prevented hundreds of compromise attempts.
- Although many attacks are blocked or fail, not all WordPress sites have effective security tools like Patchstack or Wordfence, increasing the likelihood of successful exploits across the ecosystem.
- CcHUB recommends that website administrators should apply security updates, disable unused plugins and themes, delete dormant accounts, and enforce strong passwords and multi-factor authentication to reduce attack risks.
- Read more about it here.
Morphing Meerkat: Advanced Phishing-as-a-Service Platform
Google and Mozilla have released updates for Chrome 133 and Firefox 135 to address multiple high-severity memory safety vulnerabilities.
Summary
- A sophisticated Phishing-as-a-Service (PhaaS) platform, Morphing Meerkat, has been found spoofing over 100 brands to steal credentials by dynamically generating fake login pages based on victims’ email service providers.
- The phishing kit queries the DNS MX record of a victim’s email domain to identify their service provider and dynamically serve a fake but realistic login page.
- Researchers discovered that Morphing Meerkat has sent thousands of phishing emails, leveraging legitimate mail configurations to make attacks harder to detect.
- Originally detected in 2020, the early kit mimicked only five email brands (Gmail, Outlook, AOL, Office 365, Yahoo) and lacked translation features. Now, it supports 114 brands and adapts text dynamically into multiple languages.
- The phishing kit employs security evasion methods such as open redirects on adtech servers, obfuscated code, and redirection to legitimate login pages after failed attempts to avoid detection.
- Stolen credentials allow attackers to infiltrate corporate networks, steal sensitive data, and launch further cyberattacks. The attackers use DNS cloaking and legitimate services to hide their activity.
- CcHUB recommends tightening DNS security by blocking user access to adtech and file-sharing services, preventing unauthorized DNS over HTTPS (DoH) connections, and reducing non-essential services to minimize the attack surface.
- Organizations should also limit exposure to security blind spots by controlling external network communications, making it harder for cybercriminals to use DNS-based phishing attacks effectively.
- Read more about it here
Sources
- https://www.interpol.int/en/News-and-Events/News/2025/More-than-300-arrests-as-African-countries-clamp-down-on-cyber-threats
- https://www.bleepingcomputer.com/news/security/the-four-wordpress-flaws-hackers-targeted-the-most-in-q1-2025/
- https://www.infosecurity-magazine.com/news/morphing-meerkat-phaas-platform/