All news with #account takeover tag

🔔 The FBI has publicly attributed widespread phishing campaigns against encrypted messaging apps—primarily Signal and, to a lesser extent, WhatsApp—to actors linked to Russian intelligence services. The adversaries do not break end-to-end encryption; they hijack accounts via social engineering, commonly tricking victims into sharing verification codes or scanning malicious QR codes. Thousands of accounts worldwide have reportedly been compromised, often targeting individuals with sensitive access. Authorities urge users to refuse unsolicited device-linking requests and never share verification codes.

🔒 CISA and the Federal Bureau of Investigation issued a joint Public Service Announcement warning of ongoing phishing campaigns by cyber actors associated with Russian intelligence services targeting commercial messaging applications (CMAs). The campaigns seek to bypass encryption by compromising individual user accounts rather than breaking application cryptography. Evidence indicates thousands of CMA accounts have been accessed to view messages and contact lists, send messages, and conduct follow-on phishing. CISA and FBI urge users to review the PSA, adopt recommended cybersecurity practices, and remain vigilant for suspicious activity.

🔒 This concise guide explains fast, practical steps to recover a compromised online account and limit attacker control. It recommends a prioritized, timed response—contain the incident, secure access, and check for persistent compromises—emphasizing actions like change passwords, remove unauthorized forwarding, enable two-factor authentication, and revoke sessions from a known-clean device. The piece also covers device cleanup, notifying contacts and banks, and long-term protections such as password managers, authenticator apps, hardware keys and regular software updates.

📱 Zimperium zLabs reports a global surge in mobile banking malware targeting 1,243 financial brands across 90 countries. The firm analysed 34 active malware families affecting apps with more than three billion downloads and found industrialised campaigns exploiting weak app protections and widespread code sharing. Attacks now intercept authentication codes, hijack live sessions and can take control of devices, undermining traditional backend fraud controls.

🔒 ThreatFabric researchers disclosed a new Android banking malware family named Perseus that enables device takeover and financial fraud through dropper apps promoted on phishing and IPTV sideloading sites. Built on code from Cerberus and Phoenix, Perseus leverages Accessibility-based remote sessions to monitor, interact with, and fully control infected devices. It targets users across Turkey, Italy and other European and Middle Eastern markets, and adds note‑scanning to harvest high-value personal data. Operators can issue remote commands, stream screens, run HVNC sessions, and authorize fraudulent transactions via a command-and-control panel.

🔐 In Episode 459 Graham Cluley and Paul Ducklin dissect a near-miss account takeover aimed at WordPress co-founder Matt Mullenweg that combined MFA prompt fatigue, authentic Apple alerts, a convincing support call and a phishing page. They draw practical lessons on resisting MFA prompt fatigue and social-engineering support scams. The episode also explores UK Biobank re-identification risks and the ethics of sharing lifetime medical data.

🔒 CloudSEK researchers have identified an Android OS-level attack that manipulates the runtime via LSPosed modules to hijack legitimate payment apps without modifying APKs or invalidating app signatures. The campaign, associated with a module dubbed Digital Lutera, intercepts SMS, spoofs device identities, and captures 2FA in real time, effectively bypassing protections like Google Play Protect and persistent integrity checks. Reinstalling apps does not remove the malicious hooks, making detection and remediation difficult.

🎮 The FBI's Seattle Division is seeking information from gamers who installed Steam titles later found to contain malware between May 2024 and January 2026. Identified titles include BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova. The agency's questionnaire targets cryptocurrency theft and account hijacking and requests transaction details, compromised account information, and screenshots of communications to help trace stolen funds and those who distributed the malware.

🛡️ Stryker reported a large-scale disruption after thousands of employee devices were remotely wiped and many users were unable to log in, saying the issue appears contained to its internal Microsoft environment and that there is no indication of malware at this time. The pro-Iranian group Handala claimed responsibility and employees reported seeing its logo on affected machines. Analysts say the pattern is consistent with a compromise of Microsoft Intune and Entra-based admin controls, which would permit remote wiping without deploying traditional malware, and recommend tightened admin verification and credential protections.

✈️ Flare researchers found that airline miles and hotel points are being treated as commodities in underground markets, where stolen loyalty accounts are traded, redeemed for legitimate bookings, and resold at discounts. Actors post inventory-style listings in messaging groups, often advertising full email access to reduce recovery chances. Observed pricing averaged roughly $1 per 1,000 miles, and major programs were favored for liquidity and resale value. The fraud chain typically follows a four-stage cycle from account takeover to resale.

🔒 Signal has confirmed that attackers have hijacked some user accounts by tricking victims into handing over verification codes or linking a second device. The company says its encryption and central infrastructure remain uncompromised and that the campaign relies on social engineering rather than exploiting software vulnerabilities. Targeted users received in-app messages purporting to be a "Signal Security Support Chatbot" or were sent QR codes and links that secretly link an attacker’s device. Review Settings > Linked Devices and never share verification codes or your PIN.

🔒 Cloudflare today introduced Account Abuse Protection, a suite of fraud-prevention tools that stop fraudulent account creation and takeovers by evaluating authenticity beyond automation signals. The suite combines leaked credential checks and ATO detections with new Disposable email and Email risk scoring plus Hashed User IDs for per-account visibility while preserving privacy. Available in Early Access to Bot Management Enterprise customers, these controls integrate into Security analytics and Security rules to add friction at signup and investigate account-level abuse.

🛡️ CodeWall’s autonomous red-team agent compromised hiring startup Jack & Jill by chaining four seemingly minor bugs into a complete account takeover within an hour. The agent abused a permissive URL fetcher, an enabled test-login mode, missing onboarding role checks, and absent domain verification to map APIs, authenticate via a test OTP flow, and escalate to org-admin privileges. It then generated synthetic voice clips to social-engineer Jack, conducting 28 multi-turn exchanges and even impersonating Donald Trump before moving on, demonstrating how AI can rapidly combine low-risk flaws into high-impact attacks.

🔒 Dutch intelligence has uncovered a large-scale campaign by Russian state actors to hijack Signal and WhatsApp accounts belonging to military, government and other high-value individuals worldwide. The attackers impersonate support bots, request SMS verification codes or PINs, and exploit linked-device QR flows to add devices. Authorities warn these consumer apps, while end-to-end encrypted, are unsuitable for classified material and have issued guidance to detect and remediate account takeovers.

🔐Russian state-sponsored actors are tied to a targeted phishing campaign that hijacks Signal and WhatsApp accounts to monitor messages of government officials, military personnel, and journalists. The Dutch MIVD and AIVD warn attackers use fake support chats, SMS verification-code prompts, Signal PIN requests, and malicious QR links to link attacker devices. Signal says its infrastructure is intact and urges users never to share codes or PINs and to review linked devices immediately.

🔒 Darktrace's Threat Report 2026 warns that identity-based attacks—primarily via compromised cloud and email accounts—now initiate 58% of intrusions in Europe, with network-based breaches comprising the other 42%. Germany and the manufacturing sector were particularly affected as attackers leverage valid credentials and legitimate admin tools to evade detection. The report highlights state-backed groups (e.g., Lazarus, ShadowPad) and RaaS operators such as Akira, noting heavy targeting of Azure, GCP and Docker environments. Experts recommend continuous monitoring of privileged accounts, hardened MFA, device baselines and behavioral detection to spot anomalies early.

🔒 A coordinated international operation by the FBI and Europol dismantled LeakBase, a major clearnet forum used to trade stolen credentials and financial data. Authorities seized the site (leakbase[.]la), preserving user accounts, posts, private messages, credit details and IP logs as evidence. The disruption, dubbed Operation Leak, targeted administrators and heavy users and follows reporting that the forum hosted stealer logs and large hacked databases used in account takeover and fraud.

🔐 Flare researchers found widespread trading of compromised cPanel credentials across fraudulent groups, observing over 200,000 posts in a seven-day sample that reveal a highly commoditized, templated marketplace. Sellers advertise tiered pricing and bulk discounts (e.g., bundles of 100–1,000 accounts), and buyers use panels to host phishing kits, create SMTP accounts, deploy backdoors, and exfiltrate data. Because access uses valid credentials, abuse often bypasses traditional defenses; organizations should enable MFA, enforce strong unique passwords, restrict admin IPs, and monitor file integrity and outbound SMTP.

🚨 A 22-year-old Alabama man, Jamarcus Mosley, pleaded guilty to federal extortion, cyberstalking, and computer fraud charges after hijacking social media accounts belonging to hundreds of young women, including minors. Between April 2022 and May 2025 Mosley impersonated friends and used social engineering to obtain account recovery codes and passwords, then threatened to publish private nude images unless victims paid, sent more explicit content, or surrendered access to other accounts. Sentencing is scheduled for May 27.

🧭 Europol's Project Compass has targeted The Com, a transnational online collective linked to extortion, ransomware and violent abuse. Over the past 12 months the operation resulted in 30 arrests and the full or partial identification of 179 alleged members, while several victims were identified and safeguarded. The initiative spans EU states, Norway, Switzerland and all Five Eyes partners and focuses on disrupting recruitment and account-takeover tactics such as phishing, vishing and SIM swapping, as well as the group's links to extremist and Russian cyber-criminal networks.