All news with #account takeover tag

Spiderman phishing kit targets dozens of European banks

🕷️Spiderman is a newly observed phishing kit that replicates banking and cryptocurrency login flows to capture credentials, 2FA codes, credit card details, and wallet seed phrases. Researchers at Varonis report it targets customers across five European countries and major brands including Deutsche Bank, ING, CaixaBank, PayPal, and crypto wallets such as Ledger and Metamask. The kit’s modular control panel lets operators filter victims by country or device, intercept PhotoTAN and OTP codes in real time, export harvested data with one click, and redirect non-targeted visitors.

California Man Pleads in $263M Cryptocurrency Theft

🔒 Evan Tangeman, 22, has pleaded guilty to laundering proceeds from a sophisticated criminal network that stole roughly US $263 million in cryptocurrency. Prosecutors say the Social Engineering Enterprise was organised via online gaming connections and used hackers, impersonating 'callers', burglars and money launderers to seize and convert victims' crypto. Tangeman admitted converting about US $3.5 million and faces sentencing on April 24, 2026.

Pro-Russia Hacktivists Target Critical Infrastructure

⚠️ This joint advisory from CISA, FBI, NSA, and international partners details opportunistic intrusions by pro‑Russia hacktivist groups—CARR, NoName057(16), Z‑Pentest, and Sector16—against OT/ICS environments. Actors are exploiting internet‑exposed VNC services, using open‑source scanning and brute‑force tools to access HMI devices with default or weak credentials, causing loss of view, configuration changes, and operational downtime. The advisory urges organizations to reduce public exposure, apply network segmentation, enforce strong authentication (MFA where feasible), harden device credentials, and follow secure‑by‑design guidance for OT products.

Whaling attacks against executives: risks and mitigation

🎯 Whaling attacks are highly targeted social engineering campaigns aimed at senior executives that combine reconnaissance, spoofing, and urgency to trick leaders into divulging credentials, approving transfers, or executing malware-laden actions. Threat actors exploit executives’ visibility, limited time, and privileged access, and increasingly leverage generative AI and deepfakes to scale and refine impersonations. Key defenses include personalised executive simulations, strict multi-party approval flows for high-value transfers, AI-enhanced email filtering, deepfake detection, and a Zero Trust approach to access.

Preparing Retailers for Holiday Credential Threats

🔒 Retailers face concentrated credential risk during holiday peaks as bot-driven fraud, credential stuffing and pre-staged automated attacks target logins, payment tokens and loyalty balances. Effective defenses combine adaptive MFA, bot management, rate limiting and credential-stuffing detection to stop automation without harming checkout conversion. Strong controls for staff and third parties, plus tested failovers and tools like Specops Password Policy to block compromised passwords, reduce blast radius and protect revenue.

SpyCloud: Phishing Targets Corporate Users 3x More

🔍 SpyCloud reported a 400% year‑over‑year increase in successfully phished identities, finding nearly 40% of more than 28 million recaptured phish records contained business email addresses—about three times the rate observed in recaptured malware. The company warns phishing has become the preferred gateway into enterprise environments and is fueling follow‑on attacks such as ransomware. SpyCloud urges organizations to adopt real‑time visibility and automated post‑compromise remediation across both personal and professional identities.

Coupang Exposes 33.7M Accounts Due to Key Mismanagement

🔒 Coupang disclosed an unauthorized exposure affecting approximately 33.7 million user accounts, an incident investigators trace to long‑neglected token signing keys in its authentication infrastructure. Leaked records reportedly included names, email addresses, shipping address lists and some order details; payment and login credentials were not exposed. Authorities and a joint public-private investigation are probing the breach and potential regulatory violations, and a former authentication engineer is the prime suspect.

SMS Phishers Pivot to Points, Taxes and Fake Retailers

🚨 China-based phishing-as-a-service groups have deployed thousands of mobile-targeted scam domains using SMS (iMessage/RCS) lures that promise rewards points, tax refunds or bargains to harvest payment data. Sites collect name, address and card details, then request a one-time code — which fraudsters use to enroll stolen cards in Apple or Google mobile wallets. These fake e-commerce shops are advertised on major platforms and can remain active for months, making them harder to detect; reporting suspicious messages and domains to blocklists such as SURBL and threat scanners helps accelerate takedowns.

Momberger Alerts Customers of Fraudulent Invoice Emails

🔔 Momberger – Lack & Technik warns customers of a targeted email fraud campaign that began on December 1. The company says unauthorized access to an email account was used to send forged messages requesting payment of fictitious invoices; only existing customer addresses were targeted. Momberger urges recipients not to pay, open links, or attachments, and says systems have been secured while additional protections and authorities are involved.

Phishing, Privileges and Passwords: Identity Risk Guide

🔒Identity-focused attacks are driving major breaches across industries, with recent vishing incidents at M&S and Co-op enabling ransomware intrusions and combined losses exceeding £500 million. Attackers harvest credentials via infostealers, targeted phishing/smishing/vishing, breached password stores and automated attacks like credential stuffing. Implement least privilege, strong unique passwords in managers, MFA (authenticator apps or passkeys), PAM and automated identity lifecycle controls to limit blast radius.

GoldFactory Targets SE Asia with Modified Banking Apps

🛡️ Group-IB says the financially motivated actor GoldFactory has launched a new campaign across Indonesia, Thailand, and Vietnam, distributing modified Android banking apps that serve as droppers for remote‑access trojans. The campaign, active since October 2024 and linked to activity as far back as June 2023, relies on phone-based social engineering and messaging apps like Zalo to direct victims to fake Play Store landing pages. Injected modules preserve normal banking functionality while hooking app logic to bypass security checks, abuse accessibility services, and exfiltrate credentials and account balances.

Star Blizzard Targets Reporters Without Borders in Phishing

📧 Sekoia.io researchers have identified a fresh wave of spear-phishing linked to the Russia-nexus intrusion set Star Blizzard (aka Calisto/ColdRiver) that targeted NGOs including Reporters Without Borders in May–June 2025. Operators impersonated trusted contacts via ProtonMail, using a custom Adversary-in-the-Middle kit to harvest credentials and relay 2FA prompts through compromised sites and redirectors. Observed tactics included a ZIP disguised as a .pdf, decoy encrypted PDFs instructing victims to open files in ProtonDrive, injected JavaScript to lock password-field focus, and an API-driven workflow for handling CAPTCHA and 2FA challenges, underscoring continued risk to Western organizations supporting Ukraine.

Hybrid 2FA Phishing Kits Evade Kit-Specific Detection

🔐 Researchers at Any.Run report a hybrid 2FA-phishing strain that fuses elements of Salty2FA and Tycoon2FA, producing payloads that evade detection rules tuned to either kit alone. The samples begin with Salty-style obfuscation and trampoline JavaScript, then shift into Tycoon’s DGA domains and AiTM execution chain. Analysts warn defenders to focus on behavioral patterns and fallback routines rather than static indicators of compromise.

AI Phishing Factories: Tools Fueling Modern BEC Attacks

🔒 Today's low-cost AI services have industrialized cybercrime, enabling novice actors to produce highly convincing BEC and phishing content at scale. Tools such as WormGPT, FraudGPT, and SpamGPT remove traditional barriers by generating personalized messages, exploit code, and automated delivery that evade static filters. Defensive detection alone is insufficient when signatures continually mutate; organizations must protect identity and neutralize credential exposure. Join the webinar to learn targeted signatures and access-point controls to stop attacks even after a click.

India Orders Messaging Apps to Bind Accounts to SIMs

🔒 India's Department of Telecommunications (DoT) has directed messaging apps to bind accounts to an active, KYC‑verified SIM linked to the user's mobile number, with platforms required to comply within 90 days. The amendment to the Telecommunications (Telecom Cyber Security) Rules, 2024 aims to curb phishing, cross‑border fraud and remote account takeovers by closing gaps from long‑lived web/desktop sessions. Providers must enforce continuous SIM linkage and force web sessions to log out every six hours, requiring QR re‑linking. The DoT also announced a Mobile Number Validation (MNV) platform for decentralized, privacy‑compliant verification.

Researchers Expose Lazarus APT Remote-Worker Scheme Live

🔍 A joint investigation by Mauro Eldritch (BCA LTD), NorthScan, and ANY.RUN captured operators from North Korea's Lazarus Group Famous Chollima working through a network of remote IT contractors. Analysts used long-running sandbox VMs that mimicked real developer laptops to observe live activity without alerting the intruders, recording credential collection, AI-assisted interview tooling, OTP handling, and persistent access via Google Remote Desktop. The study found identity and workstation takeover — not traditional malware — as the primary intrusion method, underscoring significant risks in remote hiring and contractor vetting.

Fake Calendly Invites Spoof Brands to Hijack Ad Accounts

📅 A targeted phishing campaign uses fake Calendly meeting invitations impersonating recruiters from major brands to harvest Google Workspace and Facebook Business credentials. The lures are professionally crafted—likely produced with AI—and direct victims through a CAPTCHA to an AiTM credential‑harvesting flow capable of bypassing some 2FA protections. Compromised ad manager accounts are then leveraged for malvertising, geo‑targeted attacks, device‑specific campaigns, or resale on illicit markets.

Australian Man Jailed Seven Years for 'Evil Twin' Wi‑Fi

🔒 A 44-year-old man has been sentenced to seven years after pleading guilty to operating “evil twin” Wi‑Fi networks to harvest credentials and intimate images. AFP officers found a Wi‑Fi Pineapple, a laptop and a phone after airline staff reported a suspicious hotspot during a domestic flight. Forensic analysis recovered thousands of images and account credentials, and investigators linked malicious pages to airports and flights. Authorities advised users to disable automatic Wi‑Fi, use a reputable VPN, turn off file sharing and avoid sensitive transactions on public hotspots.

Oversharing Risks: Employees Posting Too Much Online

🔒 Professionals routinely share work-related details on platforms such as LinkedIn, GitHub and consumer networks like Instagram and X, creating a public intelligence trove that attackers readily exploit. Job titles, project names, vendor relationships, commit metadata and travel plans are commonly weaponised into spearphishing, BEC and deepfake-enabled schemes. Organisations should emphasise security awareness, implement clear social media policies, enforce MFA and password managers, actively monitor public accounts and run red-team exercises to validate controls.

Operator jailed for in-flight evil twin Wi-Fi attacks

🔒 An Australian man was sentenced to seven years and four months for operating an evil twin Wi-Fi network that targeted airline passengers and airport patrons in Perth, Melbourne and Adelaide. He deployed a WiFi Pineapple to clone legitimate SSIDs and present phishing captive portals that harvested social media credentials, then used those accounts to access victims' private messages and intimate images. Forensic analysis of seized devices recovered thousands of stolen images, videos, credentials and records of fraudulent Wi‑Fi pages.