All news with #account takeover tag

🛡️ Google Threat Intelligence Group analyzed a growing Chinese‑language phishing‑as‑a‑service (PhaaS) ecosystem, finding mature, professional offerings that facilitate real‑time credential and OTP interception and the tokenization of payment data. These services use encrypted channels like RCS and iMessage, provide extensive localization tools and ancillary criminal services, and often operate openly on Telegram. GTIG highlights the shift from simple password harvesting to financial account takeover and recommends stronger technical defenses such as FIDO2/WebAuthn and risk‑based verification.

🛡️ Apple reported blocking more than $2.2 billion in potentially fraudulent App Store transactions in 2025, and over $11 billion across the past six years. The company rejected over 2 million problematic app submissions, terminated 193,000 developer accounts for fraud, and blocked more than 1.1 billion fraudulent account creations. Apple also prevented use of 5.4 million stolen credit cards, removed tens of thousands of deceptive apps, and blocked nearly 195 million fraudulent reviews and ratings.

🎮 In this Deputy CISO post, Aaron Zollman, Vice President and Deputy CISO for Gaming at Microsoft, outlines the distinct security demands of a global, diverse gaming ecosystem. He describes gaming as a “culture of cultures,” spanning platforms, independent studios, and shared studio central teams, each carrying unique risks from account takeover and IP theft to supply chain and regulatory challenges. Zollman stresses partnership over prescription—balancing enterprise-grade controls with low-latency player experiences and studio autonomy. The piece calls for layered defenses, identity governance, anomaly detection, and tailored baselines to protect billions of interactions while enabling creativity.

🔐 In February 2026 the EvilTokens PhaaS campaign abused the OAuth consent flow to harvest long‑lived refresh tokens, compromising over 340 Microsoft 365 organizations across five countries. Victims completed legitimate sign‑ins and MFA at microsoft.com/devicelogin, then clicked consent and unknowingly granted broad scopes for mail, drive, calendar, and contacts. Because the attacker received signed, refreshable tokens rather than credentials, MFA and typical SIEM correlation did not detect the intrusion. The incident demonstrates how normalized consent clicks have become a critical security gap.

🔐 The Tycoon2FA phishing kit now exploits OAuth device-code flows and misuses Trustifi click-tracking URLs to hijack Microsoft 365 accounts. eSentire found the kit rebuilt after a March takedown, adding obfuscation layers, a 230-vendor blocklist, and extensive anti-analysis checks to evade detection. Attackers trick victims into pasting device codes at microsoft.com/devicelogin, granting OAuth tokens and full access to email, calendar and cloud storage.

🔐 The World Password Day 2026 post contends that conventional password guidance is now inadequate: a 16-character secret can be lifted by infostealer malware from browser caches or exposed when employees paste credentials into unmanaged AI chatbots. It exposes a global, commoditized underground on platforms like Telegram where harvested credentials are bought and sold. The article warns organizations that passwords alone cannot prevent account takeover and urges layered technical and policy controls.

🔍 Flare researchers identified organized, process-driven loan fraud methods on underground forums that use stolen identities, social engineering, and workflow knowledge to impersonate legitimate borrowers. Attackers focus on passing knowledge-based authentication (KBA) and reconstructing verification answers from public sources and leaked datasets. They preferentially target small- and mid-sized credit unions perceived to have weaker fraud detection, then rapidly move funds through intermediaries to complete cash-out before detection.

🔒 A 19-year-old allegedly tied to Scattered Spider was arrested in Helsinki and is facing U.S. extradition on counts including wire fraud, conspiracy, and computer intrusion. Prosecutors say he participated in multiple social-engineering intrusions from March 2023 through 2025 that used help-desk impersonation to reset MFA and exfiltrate data. Court filings and social-media posts reportedly tied the suspect to luxurious spending and to taunting law enforcement, underscoring how poor operational security and public boasting can accelerate investigations. The case highlights the ongoing threat of phone-based account takeover and the need for stronger, phishing-resistant controls.

🔒The FBI warned transportation and logistics firms of a marked increase in cyber-enabled cargo thefts, estimating losses in the U.S. and Canada could reach nearly $725 million in 2025. Criminals are using phishing, typosquatting domains, and account compromise to post fraudulent load listings and impersonate carriers, rerouting high-value shipments. The bureau urged multi-factor authentication, dual-channel verification of shipment requests, and reporting incidents to IC3 and local law enforcement.

🔒 Ukrainian authorities have arrested three suspects accused of compromising more than 610,000 accounts on the online gaming platform Roblox. Investigators say the group used social engineering lures that delivered infostealer malware to harvest usernames, passwords and authentication tokens, then assessed accounts for rare items and Robux. At least 357 high‑value accounts were identified and sold on Russian websites for cryptocurrency, reportedly generating over $225,000. Searches at ten properties recovered computers, storage devices, mobile phones, bank cards, handwritten notes and cash; analysis is ongoing and the suspects face up to 15 years if convicted.

🔐 Since October 2025, CrowdStrike's Falcon Shield explains how CORDIAL SPIDER and SNARKY SPIDER execute fast, SaaS-first attacks that bypass endpoint visibility. Through vishing and SSO-themed AiTM pages they capture credentials and session tokens to pivot into IdPs and multiple SaaS apps. Falcon Shield detects anomalous sign-ins, MFA enrollments, notification suppression, and adversary proxy infrastructure to disrupt campaigns.

🚨 Ukrainian police arrested three individuals accused of hacking and selling over 610,000 Roblox accounts, reportedly generating about $225,000 in proceeds. The Lviv authorities executed ten searches, seizing $35,000 in cash and multiple devices including 37 mobile phones, 11 desktop PCs, seven laptops, five tablets, and four USB drives. Prosecutors say the suspects — aged 19, 21, and 22 — used info‑stealing malware disguised as a game-enhancer, harvested credentials, categorized accounts by value, and sold high‑value profiles via a Russian website and closed online communities.

🔍 A 19-year-old dual U.S.-Estonian citizen arrested in Finland faces federal charges in the United States, accused of acting as a prolific member of the Scattered Spider hacking collective under the alias Bouquet. Prosecutors allege he helped extort millions through multiple breaches, including a March 2023 intrusion when he was 16 and a May 2025 attack on a multibillion-dollar luxury retailer that prompted an $8 million ransom demand and over $2 million in remediation costs.

📞 Unit 42 and RH-ISAC report BlackFile has targeted retail and hospitality since Feb 2026, linking activity to CL-CRI-1116 and overlaps with UNC6671/Cordial Spider. The group uses vishing—impersonating IT helpdesks with spoofed VoIP—and phishing pages that mimic corporate SSO, plus antidetect browsers and residential proxies to harvest credentials and OTPs. After access they register devices to bypass MFA, escalate privileges, and exfiltrate data via Salesforce and SharePoint APIs. Recommendations include caller identity checks, strict escalation for IT support, and simulation-based phone-security training.

🔒 Vercel said it has identified an additional set of customer accounts compromised as part of an incident after expanding its indicators of compromise and reviewing network requests and environment‑variable read events. The company reported a small number of accounts showing prior compromise that predates this incident and may stem from social engineering, malware, or other methods, and confirmed it notified affected parties. Investigators traced the chain to a compromise of Context.ai that allowed takeover of a Google Workspace account and pivoting into Vercel; further analysis points to Lumma Stealer as a likely initial payload.

🔍 Microsoft observed North Korea-aligned actors posing as legitimate hires—using stolen or fabricated identities and generative AI—to gain trusted access to corporate SaaS. They target external career sites and Workday Recruiting APIs (hrrecruiting/*) to submit convincing applications, complete onboarding, then use legitimate accounts to access Teams, SharePoint, OneDrive, and Exchange Online. Defenders should correlate multi-source telemetry, enable Microsoft Defender for Cloud Apps connectors, and monitor behavioral anomalies in candidates and new hires.

🔒 Tyler Robert Buchanan, a 24-year-old British national and senior member of the cybercrime group Scattered Spider, has pleaded guilty to wire fraud conspiracy and aggravated identity theft for his role in 2022 SMS-phishing attacks. He admitted launching tens of thousands of phishing texts that enabled intrusions at companies including Twilio, LastPass, DoorDash and Mailchimp. Prosecutors say the campaign fueled SIM-swap thefts that siphoned at least $8 million in cryptocurrency from U.S. investors. Buchanan faces a statutory maximum of 22 years; sentencing is set for August 21, 2026.

🔐 In 2025 attackers increased focus on weaknesses in multi-factor authentication (MFA) and the trust inherent in everyday workflows, with phishing used for initial access in 40% of incidents. Cascaded phishing leveraged compromised, legitimate accounts to craft highly convincing lures, while abuse of Microsoft 365 Direct Send enabled internal-looking spoofed messages. MFA spray attacks and device compromise—driven by voice phishing against administrators—targeted IAM tools and high-turnover device ecosystems, with higher education notably impacted. Defenders should harden device management, enforce strong lockout and conditional access policies, and adopt email protections such as Reject Direct Send and tightened SPF/DMARC.

🚨 Garrett Dutton (G. Love) says he downloaded a counterfeit Ledger Live app from Apple's App Store while setting up a new computer and was tricked into entering his seed phrase. Thieves used it to steal 5.9 BTC (about $440,000). Apple removed the fraudulent app on April 12 after investigators linked it to roughly $9.5 million stolen from more than 50 victims. Legitimate wallets never ask for your seed phrase; verify developer names and ratings and be especially cautious when installing apps on new devices.

🔒 Kamerin Stokes, 23, was sentenced to 30 months in prison after selling access to tens of thousands of hacked accounts tied to DraftKings. Prosecutors say a November 2022 credential‑stuffing attack led by Nathan Austad (aka Snoopy) with accomplice Joseph Garrison compromised nearly 68,000 accounts; the group stole about $635,000 from roughly 1,600 accounts and generated over $2.1 million selling hacked accounts. Stokes, who operated as TheMFNPlug, briefly reopened his shop after pleading guilty with the tagline fraud is fun, was remanded for violating pretrial conditions, and was ordered to pay $1,327,061 in restitution and $125,965.53 in forfeiture, plus three years of supervised release.