PHISH & TELL 033

👋 WELCOME to Phish & Tell™️, from Security Done Easy™️

🎣 TOP CYBERSECURITY NEWS STORIES OF THE WEEK

Welcome back to Phish & Tell, the weekly digest focused on cybersecurity threats and scams that matter to women small‑business owners. This issue covers major developments reported between December 4 and December 11 2025. Each short article explains what happened, why it matters to you, and practical steps you can take. The final section, The Safety Snap, highlights a personal scam‑awareness tip that can keep you and your family safe.

1. Google issued emergency updates for Chrome

   Source: BleepingComputer 
   What happened: Google issued emergency updates for Chrome on Windows, macOS and Linux to fix a high‑severity flaw. Attackers had already been exploiting the flaw, prompting a same‑day patch in Chrome versions 143.0.7499.109/110. You can manually update if the release hasn’t yet reached your devices.
   Why it matters: Out‑of‑date browsers are a prime target for drive‑by malware and web‑based scams. A single compromised computer can give attackers a foothold into your company’s business, potentially exposing customer information or enabling business email compromise.
   What to do: Open Chrome and visit Settings → About Chrome to check for updates and restart the browser. Turn on automatic updates and adopt a “patch early, patch often” mindset. Share with your team.

2. For app developers: Over 10,000 Docker Hub images leak API keys, passwords, and other “secrets”

   Source: BleepingComputer
   What happened: Researchers scanning Docker Hub found that more than 10,000 publicly available images contained exposed secrets such as API keys, tokens and passwords. (A Docker image is a standardized package that includes all the files, binaries, libraries and configurations needed to run an application, so it acts like a self‑contained template that lets you spin up the same app consistently on any computer.) Many belonged to small and medium‑sized organizations, with 42 percent of images containing at least five secrets. Typical mistakes included leaving .env files or hard‑coded credentials in container images. In about 75 percent of cases, the leaked keys were still valid.
   Why it matters: If you use developers who use Docker images, their own or others, hidden secrets may grant attackers access to your cloud environment, payment processors or CRM systems. Once leaked, those credentials can be abused indefinitely.
   What to do: Have a policy to never store secrets in container images. Use a dedicated secrets manager and pass credentials in only when the app runs. Audit the images and revoke any exposed secrets, keys, passwords, and tokens immediately. (Just deleting them doesn’t remove them from the history, and cybercriminals take advantage of that.) Consider scanning third‑party images before using them.

3. Cloudflare blocks the largest attack ever

   Source: The Hacker News
   What happened: Cloudflare reported mitigating the largest distributed denial‑of‑service (DDoS, pronounced dee-dos) attack ever recorded, peaking at 29.7 terabits per second. This was the largest attack ever designed to knock websites offline by overwhelming them with fake traffic — the kind of attack that can take a small business website down in seconds if it doesn’t have protection in place.

   The attack lasted just 69 seconds and originated from a botnet‑for‑hire, which is estimated to consist of up to 1–4 million infected hosts. (An infected host is a computer, phone, or smart device that’s been secretly taken over by malware and is being used by criminals — often without the owner knowing — to send spam, attack websites, or spread scams. Think of it like your device catching a digital virus and quietly doing someone else’s dirty work.) Cloudflare noted a significant quarter‑over‑quarter increase in the number of DDoS attacks it blocked.
   Why it matters: Even if your small business isn’t a high‑profile target, large botnets can be rented cheaply to knock websites offline. Extended downtime means lost sales and damaged customer trust. DDoS attacks are getting larger and shorter, making them harder to detect with basic security tools.
   What to do: Use a reputable content‑delivery network (CDN) or DDoS mitigation service to absorb traffic spikes. Talk to your web host about rate‑limiting to prevent floods and automatic failover in case your site does go down. Keep an incident response plan for website outages, including how to communicate with customers.
   

   Not sure what applies to your business or what your options are? Let’s talk.

🔍 In Case You Missed It (ICYMI)

• This week’s blog post: Is Your Laptop or Phone Infected with Malware? How to Recognize the Signs and What to Do Next» As a small business owner, your devices are essential to your work. Malware—software designed to steal information, spy on activity, or disrupt operations—can slow you down or expose sensitive data. The good news is that you don’t need to be a technical expert to recognize when something is wrong. This guide outlines the most common signs of malware, how it typically gets onto devices, and the practical steps you can take if you suspect an infection.

• This Tuesday was the last Patch Tuesday of the year! Microsoft “only” patched 56 security flaws, some of which are already being exploited. Patch your operating systems, apps, and browsers. Better yet, set them to update automatically.

• Follow us on LinkedIn, Facebook or Instagram. Youtube is in the works (subscribe to get notified when I finally start getting these videos out there!)

🤖 The LOL-gorithm

🧷 THE SAFETY SNAP

SMS phishers take advantage of holiday shopping and the end of the tax year in the US to pivot to rewards points, fake retailers, and tax refunds.

Investigations by Krebs on Security uncovered that China‑based phishing groups continue to send SMS messages, which now are focused on unclaimed tax refunds or rewards points, and luring victims to fake e‑commerce sites.

Over the past week, thousands of domains spoofing telecom providers like T‑Mobile were registered. The sites ask for name, address, phone number and payment card data and then prompt victims for a one‑time code. Fraudsters use the code to enroll the card in an Apple Pay or Google Pay wallet that they control.

Similar scams spoof U.S. tax authorities. Attackers also operate fake e‑commerce storefronts that are advertised on social media and search ads; these sites look legitimate and only reveal malicious code during checkout. Falling for these scams can compromise your personal or company credit cards and lead to fraudulent charges.

What you can do: Treat unsolicited reward or tax messages as suspect. Verify the legitimacy of offers by visiting the official website directly. If an online store seems suspicious, run a WHOIS lookup to see when its domain was created; newly registered domains are often fraudulent. Avoid clicking links in unexpected texts, and monitor your credit card statements. (How do you run a WHOIS — literally, “who is”— lookup? Open a terminal or command window and type “whois [yourdomain.com]”. For example, type whois example.com and hit return. You’ll see it was created in 1992. Try your own domain and see what’s publicly available. Note: You can also use a WHOIS website such as your registrar’s lookup tool if you don’t have the whois command installed.)

💬 A PERSONAL NOTE

I have pledged every weekend that THIS was the weekend I was going to do my holiday decorating. Well, THIS is the weekend. Really. My evil plan is this: My youngest teen is having a sleepover. I’m planning on Christmas music, snacks, a fire in the fireplace, and getting them to decorate the tree! Mwah hah hah. (Very Mark Twain-esque.)

👂 TELL ME

Have you dealt with a cybersecurity incident? What would you share with your past self, if you could?

Stay safe and see you next week 🌟 

You’re subscribed to Phish & Tell™️ because your business is worth protecting.

🩷