All news with #account takeover tag

Preparing for the Digital Battlefield of Identity Risk

🔒 BeyondTrust's 2026 predictions argue that the next major breaches will stem from unmanaged identity debt rather than simple phishing. The report highlights three identity-driven threats: agentic AI acting as privileged deputies vulnerable to prompt manipulation, automated "account poisoning" in financial systems, and long-dormant "ghost" identities surfacing in legacy IAM. The authors recommend an identity-first posture with strict least-privilege, context-aware controls, real-time auditing, and stronger identity governance.

Atroposia RAT Kit Lowers Barrier for Cybercriminals

⚠️ Researchers at Varonis have identified a turnkey remote access trojan called Atroposia, marketed on underground forums with subscription tiers starting at $200 per month. The kit combines advanced features — hidden remote desktop takeover, encrypted C2 channels, UAC bypass for persistence, an integrated vulnerability scanner, clipboard capture, DNS hijacking and bulk exfiltration — into a low‑skill, plug‑and‑play package. Enterprises should prioritize behavioral monitoring, rapid containment, multi‑factor authentication, restricted admin access and rigorous patching to detect and mitigate attacks enabled by such commoditized toolsets.

Herodotus Android Trojan Mimics Humans to Evade Fraud

⚠️ Herodotus, a new Android banking trojan, has been observed conducting device takeover (DTO) attacks in Italy and Brazil and was advertised as a malware‑as‑a‑service supporting Android 9–16. According to ThreatFabric, it abuses accessibility services and overlay screens to steal credentials and SMS 2FA, intercept the screen, and install remote APKs. Uniquely, operators added randomized typing delays (300–3000 ms) to mimic human input and evade behaviour‑based anti‑fraud detections.

Quarter of Scam Victims Report Considering Self-Harm

⚠️ A new 2025 Consumer Impact Report from the Identity Theft Resource Center (ITRC) finds identity fraud is driving severe mental and financial harm, with one quarter of surveyed consumers saying they seriously considered self-harm after an incident. The figure rises to 68% among self-identified victims but falls to 14% for those who contacted the ITRC, underscoring the value of professional support. The study of 1,033 general consumers also highlights rising repeat victimisation, large monetary losses — including more than 20% losing over $100,000 and 10% losing at least $1m — social media account takeovers as the most common crime, and widespread concern that AI will be a major battleground for identity security.

Hardening Google Workspace: Practical Guidance for Teams

🔒 Small security teams can harden Google Workspace by enforcing MFA, restricting admin roles, and tightening sharing and OAuth app permissions. The article stresses stronger email defenses — advanced phishing controls, DMARC/DKIM/SPF — and proactive monitoring for account takeovers through alerts and behavioral signals. It argues native controls form a solid foundation but leave gaps, and recommends augmenting them with Material Security for unified visibility and automated remediation.

Google Refutes False Claims of Massive Gmail Breach

🔒 Google says reports of a massive Gmail data breach are false and that the coverage mischaracterizes a large compilation of exposed credentials. The 183 million-account figure reflects aggregated infostealer databases and credential dumps compiled over years, not a single Gmail compromise. Troy Hunt added the dataset to Have I Been Pwned, which found 91% of entries were previously seen; 16.4 million addresses were newly observed. Users should check their accounts, run antivirus scans, and change any compromised passwords.

Agenda (Qilin) weaponizes Linux binaries against Windows

🛡️ Trend Micro reports that the Agenda (Qilin) ransomware group is running a Linux-based encryptor on Windows hosts to evade Windows-only detections. The actors abused legitimate RMM and file-transfer tools — including ScreenConnect, Splashtop, Veeam, and ATERA — to maintain persistence, move laterally, and execute payloads. They combined social engineering, credential theft, SOCKS proxy injection, and BYOVD driver tampering to disable EDR and compromise backups, impacting more than 700 victims since January 2025.

UK Fraud Cases Surge 17% as APP Losses Rise in H1 2025

💷 The UK saw a 17% annual rise in consumer fraud cases in H1 2025, with total losses of £629m across 2.1 million incidents, according to UK Finance’s Half Year Fraud Report 2025. Authorized push payment (APP) losses increased 12% despite an 8% decline in APP case numbers, driven largely by investment and romance scams originating on social media. Card-not-present activity pushed card losses to £299m, and criminals are increasingly using social engineering and compromised OTPs to scale attacks.

Phishing Campaign Targets LastPass Users with 'Death' Lure

⚠️ LastPass customers are being targeted by a phishing campaign that falsely notifies recipients that a family member uploaded a death certificate to request legacy access. Messages spoof the LastPass domain and include a cancellation link that redirects to an attacker-controlled site asking for the master password. Some victims have also received phone calls pressing the same ruse. LastPass warns it never asks for master passwords and has removed the initial phishing site.

Privacy rankings of popular messaging apps — 2025 Report

🔒 Incogni's Social Media Privacy Ranking 2025, summarized by Kaspersky, evaluates 15 platforms across 18 criteria to compare messaging apps on privacy and data handling. Overall scores place Discord, Telegram and Snapchat near the top, but a subset of practical criteria ranks Telegram first, followed by Snapchat and Discord. The analysis highlights default settings, data collection by mobile apps, handling of government requests, and encryption differences, noting that only WhatsApp provides end-to-end encryption for all chats by default.

Cut IT Costs with Secure Self-Service Password Resets

🔐 Self-service password reset (SSPR) can significantly cut help desk costs and reduce downtime by letting users securely change forgotten or expired credentials without contacting support. Industry research cited in the article highlights that password-related calls are common and expensive — Gartner and Forrester figures are referenced and a Specops analysis reports average savings per user. The piece outlines security best practices including tiered risk controls, MFA, enrollment hygiene, and detection measures like rate limiting and location checks. It describes Specops uReset capabilities for Entra ID and Active Directory, automated enrollment, reporting, and a First Day Password add-on to reduce onboarding friction.

Vietnam Actors Use Fake Job Postings to Hijack Ad Accounts

🔎 GTIG describes a targeted campaign by a Vietnam-based cluster tracked as UNC6229 that uses fake job postings on legitimate platforms to socially engineer remote digital advertising workers. Victims are enticed to open password-protected attachments or visit convincing phishing portals that harvest corporate credentials and can bypass MFA. The actors abuse reputable CRM and SaaS services to increase trust, deliver remote access trojans, and ultimately take over high-value advertising and social media accounts for sale or resale.

'Jingle Thief' Exploits Cloud to Steal Gift Cards at Scale

🔒Researchers detail a threat cluster called Jingle Thief that leverages phishing and smishing to harvest credentials and compromise cloud environments of retailers and consumer services to issue unauthorized gift cards. Palo Alto Networks Unit 42 links the activity to financially motivated actors and notes coordinated campaigns in April-May 2025. The attackers favor identity misuse over malware, persistently mapping tenants, abusing Microsoft 365 services, and minimizing logs to sustain large-scale fraud.

Google Careers Phishing Targets Job Seekers' Credentials

🔒 Scammers are impersonating Google’s Careers recruiting outreach to trick job seekers into a fake booking flow that ends on a spoofed Google login page, harvesting account credentials and cloud data. Researchers at Sublime Security documented HTML evasion techniques, abused delivery services, dynamic phishing kits and C2 servers. Organizations should enforce strong MFA, monitor anomalous logins, and train employees to treat unsolicited recruiter invitations with skepticism.

Jingle Thief: Inside a Cloud Gift Card Fraud Campaign

🔍Unit 42 details the Jingle Thief campaign, a Morocco‑based, financially motivated operation that uses phishing and smishing to harvest Microsoft 365 credentials and abuse cloud services to commit large‑scale gift card fraud. The actors maintain prolonged, stealthy access for reconnaissance across SharePoint, OneDrive and Exchange, and rely on internal phishing, inbox rules and rogue device enrollment in Entra ID to persist and issue unauthorized cards. The report (cluster CL‑CRI‑1032) links the activity to Atlas Lion/STORM‑0539 and emphasizes identity‑centric detections and mitigations.

John Bolton Charged Over Classified Emails Leak After Hack

🔒Former national security adviser John Bolton has been charged with mishandling classified information after prosecutors say he retained and transmitted sensitive documents via a personal AOL account that was later accessed by suspected Iranian hackers. The intruders allegedly downloaded the materials and sent extortion messages to Bolton. The case highlights questions about password strength, the use of two-step verification, and the risks of sending unencrypted, sensitive information to family members. Bolton has pleaded not guilty.

SIMCARTEL Takedown: Major SIM-Box Supply Network Bust

🔒 Law enforcement dismantled a criminal SIM-card supply network known as 'SIMCARTEL' following coordinated actions across multiple European countries. The now-defunct service operated a commercial SIM-box platform that let customers rent phone numbers from over 80 countries to create and manage an estimated 49 million fake online accounts used in phishing, fraud and other serious offences. Authorities seized five servers, around 1,200 SIM-box devices (operating ~40,000 SIMs), hundreds of thousands of SIM cards, froze more than $500,000 in bank funds and over $330,000 in crypto, and took down two domain services linked to the operation.

Europol Dismantles International SIM Farm Network; SIMCARTEL

🚨 Europol announced the disruption of a sophisticated cybercrime-as-a-service SIM farm in Operation SIMCARTEL, resulting in seven arrests and 26 searches across multiple countries. Authorities seized 1,200 SIM box devices containing about 40,000 active SIM cards, dismantled five servers and took over two websites, and froze significant cash and cryptocurrency assets. The platform supplied numbers from over 80 countries and is tied to the creation of more than 49 million online accounts used in phishing, smishing, investment fraud and other serious offences.

Security Teams Must Deploy Anti-Infostealer Defenses Now

🔒 Infostealers are fuelling today’s ransomware wave and the resulting stealer logs are widely available on the dark web, sometimes for as little as $10. At ISACA Europe 2025, Tony Gee of 3B Data Security urged security teams to adopt targeted technical controls in addition to baseline measures like zero trust and network segmentation. He recommended six practical defenses — including regular password rotation, FIDO2-enabled MFA, forced authentication, shorter session tokens, cookie replay detection and impossible-travel monitoring — to reduce the usefulness of stolen credentials and session data.

Phishing Campaign Uses Fake LastPass/Bitwarden Breach Alerts

⚠ The phishing campaign impersonates LastPass and Bitwarden, sending convincing emails claiming breaches and urging users to install a 'more secure' desktop app. The distributed binary installs the legitimate Syncro MSP agent, which then deploys ScreenConnect remote-access software to give attackers persistent control. Cloudflare is blocking the malicious landing pages, and vendors confirm no breaches occurred.