All news with #account takeover tag

French Football Federation Discloses Member Data Breach

⚽ The French Football Federation (FFF) disclosed a data breach after attackers used a compromised account to access administrative management software used by clubs. FFF detected the unauthorized access, disabled the compromised account, and reset all user passwords across the system. Before they were evicted, threat actors exfiltrated personal and contact information for members. The federation said it has filed a criminal complaint, notified regulators, and will directly inform affected individuals while urging vigilance against phishing attempts.

Scattered Lapsus$ Hunters Target Zendesk with Fake Domains

🔒 ReliaQuest researchers discovered that a group calling itself Scattered Lapsus$ Hunters registered more than 40 fake domains over six months to impersonate Zendesk, host fraudulent login pages, and push malware. Domains such as znedesk.com and vpn-zendesk.com used realistic sign-in screens while other URLs embedded company names to build trust. Attackers also submitted bogus support tickets to real Zendesk portals to trick help-desk staff into surrendering credentials or installing malware. ReliaQuest noted registry patterns tied to NiceNic and Cloudflare-masked nameservers and shared findings with Zendesk.

FBI Warns of Widespread Account Takeover Fraud Since 2025

🔒 Since January 2025 the FBI reports account takeover (ATO) schemes have produced losses exceeding $262 million. Cybercriminals impersonate bank, payroll and health account providers and use phishing domains, SEO poisoning and social engineering to harvest credentials and one-time codes. The Bureau recommends enabling MFA, using unique complex passwords, monitoring accounts regularly, avoiding search ads and verifying unsolicited calls or messages before sharing any login information.

FBI: $262M Lost to ATO Fraud as AI Phishing Escalates

🔐 The FBI warns that cybercriminals impersonating banks and payment services have caused over $262 million in losses this year through account takeover (ATO) fraud and more than 5,100 complaints. Attackers use phishing, SEO poisoning, calls and SMS to harvest credentials and MFA/OTP codes, then transfer funds to intermediary accounts and convert proceeds to cryptocurrency. The advisory highlights growing use of AI-generated phishing and holiday-themed scams and urges vigilance, unique passwords, URL checks and stronger authentication.

FBI: $262M Stolen in Bank Support Impersonation Scams

⚠️ The FBI warns that cybercriminals impersonating bank and payroll support teams have stolen over $262 million in account takeover (ATO) fraud since January 2025, with more than 5,100 complaints reported to the Internet Crime Complaint Center. Attackers use calls, texts, phishing sites and SEO‑poisoned search results to harvest credentials and MFA/OTP codes, then quickly wire funds to crypto wallets and lock owners out. The FBI advises monitoring accounts, using unique complex passwords, enabling MFA, bookmarking official banking sites, contacting financial institutions immediately to request recalls and indemnification, and filing detailed complaints with IC3.

AI and Deepfakes Drive Surge in Sophisticated Identity Fraud

🔍 Sumsub’s 2025 Identity Fraud Report finds that global identity fraud attempts fell slightly to 2.2%, but highly sophisticated attacks rose 180%. These multi-vector schemes combine synthetic identities, AI-driven deepfakes, layered social engineering, device tampering and cross-channel manipulation, making them far harder to detect. The report warns organisations to replace manual controls with real-time behavioural and telemetry analysis to counter this shift from quantity to quality in fraud.

Influencers Targeted by Cybercriminals: Account Risks

🔒 Social media influencers are increasingly attractive targets for cybercriminals who hijack trusted accounts to distribute scams, malware and fraudulent offers. Attackers use spearphishing, credential stuffing, brute-force attacks and SIM swapping, and AI is making those lures more convincing. Compromised accounts may be sold or used to push crypto and investment scams, exfiltrate follower data or extort victims. Practical defences include long, unique passwords, app-based 2FA, phishing awareness, device separation and up-to-date security software.

CISA: Active Spyware Campaigns Target Messaging Apps

🔐CISA warns that threat actors are actively using commercial spyware and remote-access trojans to target users of mobile messaging apps, combining technical exploits with tailored social engineering to gain unauthorized access. Recent campaigns include abuse of Signal's linked-device feature, Android spyware families ProSpy, ToSpy and ClayRat, a chained iOS/WhatsApp exploit (CVE-2025-43300, CVE-2025-55177) targeting a small number of users, and a Samsung flaw (CVE-2025-21042) used to deliver LANDFALL. CISA urges high-value individuals and organizations to adopt layered defenses: E2EE, FIDO phishing-resistant MFA instead of SMS, password managers, device updates, platform hardening (Lockdown Mode, iCloud Private Relay, app-permission audits, Google Play Protect), and to prefer modern hardware from vendors with strong security records.

Superbox Android TV Boxes Found Relaying Malicious Traffic

⚠️ Superbox media streaming boxes sold through retailers like BestBuy and Walmart have been found running intrusive, unofficial apps that can enlist buyers' Internet connections into distributed residential proxy networks and botnets. Censys researchers observed devices phoning home to Tencent QQ and a proxy service called Grass IO, and installing tools such as tcpdump and netcat while performing DNS hijacking and ARP spoofing. The boxes require removing Google Play and installing a third-party app store, increasing the risk of unauthorized relays, advertising fraud, and account takeovers. Consumers are advised to avoid uncertified Android TV devices and follow FBI and EFF guidance on suspicious app marketplaces.

Commercial Spyware Targets Mobile Messaging Users Worldwide

📱 CISA warns that multiple cyber threat actors are actively using commercial spyware to target users of mobile messaging applications. These actors employ phishing, malicious device-linking QR codes, zero-click exploits, and impersonation of platforms such as Signal and WhatsApp to gain unauthorized access and deploy additional malicious payloads. CISA urges users to review updated mobile communications guidance and mitigations to reduce spyware risk.

Music Store's Google Ads Account Hijacked, €4M Loss

🔒 The Google Ads account for Cologne-based retailer Music Store was reportedly taken over by attackers on 19 October 2025. Criminals have linked more than 2,500 foreign advertising accounts to the company’s payment profile and are running persistent campaigns promoting online casinos and crypto exchanges that administrators cannot remove. The assigned Google account manager has reportedly been unable to stop the activity, and formal attempts to get intervention via official channels have so far failed. Police cybercrime investigators and consumer protection authorities have been notified, and reported losses exceed €4 million.

Sneaky2FA Adds Browser-in-the-Browser to Phishing Kits

🛡️ Researchers report that the Sneaky2FA phishing-as-a-service kit now includes browser-in-the-browser (BITB) functionality that lets attackers embed a fake browser window with a customizable URL bar to mimic legitimate sites such as Microsoft. The iframe-backed pop-up captures credentials and MFA codes in real time, enabling attackers to hijack active sessions. This change lowers the skill threshold for criminals and undermines many signature-based defenses, prompting calls for updated training and stronger browser configurations.

CTM360 Reveals Global WhatsApp Account-Hacking Campaign

🔒 CTM360 reports a large-scale campaign, dubbed HackOnChat, that deploys deceptive web portals and impersonation pages to compromise WhatsApp accounts worldwide. Attackers rapidly create thousands of malicious URLs on inexpensive domains and web-building platforms, luring users with fake security alerts and lookalike login pages. Once accounts are taken, they are abused to defraud contacts, harvest sensitive data, and expand the scam.

Sturnus Android Banking Trojan Targets Southern Europe

🛡️ ThreatFabric has detailed a new Android banking trojan named Sturnus that combines screen-capture, accessibility abuse, and overlays to steal credentials and enable full device takeover. The malware captures decrypted messages from WhatsApp, Telegram, and Signal by recording the device screen, serves region-specific fake banking login screens, and contacts operator servers via WebSocket/HTTP to receive encrypted payloads and enable remote VNC-style control. It resists cleanup by blocking uninstallation and leveraging administrator privileges.

Sneaky2FA PhaaS Adds Browser-in-the-Browser Deception

🔒 Sneaky2FA has integrated a Browser-in-the-Browser (BitB) pop-up that impersonates Microsoft sign-in windows and adapts to the victim’s OS and browser. Used alongside its existing SVG-based and attacker-in-the-middle (AitM) proxying, the BitB layer renders a fake URL bar and loads a reverse-proxy Microsoft login to capture credentials and active session tokens, enabling access even when 2FA is active. The kit also employs heavy obfuscation and conditional loading to evade analysis.

California Man Pleads Guilty in $25M Crypto Laundering

🔒 Kunal Mehta, a 45-year-old from Irvine, has pleaded guilty to laundering at least $25 million connected to a wider $230 million cryptocurrency theft. Court documents say Mehta served as a money launderer for a transnational ring that used social engineering between October 2023 and March 2025 to access victims' crypto accounts. Prosecutors allege he created multiple shell companies in 2024, routed wire transfers into bank accounts designed to appear legitimate, and typically charged a 10% fee for converting stolen crypto to cash. Investigators say the group employed mixers, peel chains, pass-through wallets, VPNs, and conversions to Monero, though operational mistakes helped link laundered funds back to the theft.

Tycoon 2FA Phishing Kit Undermines Legacy MFA Protections

🔐 Tycoon 2FA is a turnkey phishing kit that automates real-time MFA relays, enabling attackers to capture credentials, session cookies, and live authentication flows for Microsoft 365 and Gmail. It requires no coding skill, includes layered evasion (obfuscation, compression, bot filtering and debugger checks), and proxies MFA prompts so victims unknowingly authenticate attackers. The result undermines SMS, TOTP and push methods and can enable full session takeover. The article urges migration to phishing-resistant FIDO2 hardware and domain-bound biometric authenticators.

Tycoon 2FA Kit Exposes Global Collapse of Legacy MFA

🔐 The Tycoon 2FA phishing kit is a turnkey, scalable Phishing-as-a-Service that automates real-time credential and MFA relay attacks against Microsoft 365 and Gmail. It provisions fake login pages and reverse proxies, intercepts usernames, passwords and session cookies, then proxies the MFA flow so victims unknowingly authenticate attackers. The kit includes obfuscation, compression, bot-filtering, CAPTCHA and debugger checks to evade detection and only reveals full behavior to human targets. Organizations are urged to adopt FIDO2-based, hardware-backed biometric and domain-bound authentication to prevent such relay attacks.

Schneider Electric PowerChute Serial Shutdown Fixes

🔒 Schneider Electric has released updates for PowerChute Serial Shutdown to address multiple vulnerabilities that may be exploited locally on the network. The issues include path traversal (CWE-22, CVE-2025-11565), excessive authentication attempts (CWE-307, CVE-2025-11566), and incorrect default permissions (CWE-276, CVE-2025-11567) with CVSS scores up to 7.8. Schneider Electric published version 1.4 with fixes for Windows and Linux; administrators should upgrade and apply recommended permissions and network isolation measures.

Half a Million FTSE 100 Credentials Discovered Online

🔒 Security researchers from Socura and Flare found around 460,000 compromised credentials tied to FTSE 100 domains across clear- and dark-web crime communities, including 28,000 entries from infostealer logs. The report notes many companies had thousands of leaks and that password hygiene remains poor, with 59% having at least one user using 'password'. It recommends MFA, passkeys, password managers, conditional access and proactive leak monitoring.