All news with #account takeover tag

🔒A Ukrainian man was sentenced to five years in prison after admitting he helped North Korean IT workers infiltrate US companies using stolen identities. He pleaded guilty in November 2025 to aggravated identity theft and conspiracy to commit fraud and agreed to forfeit over $1.4 million in cash and cryptocurrency. Authorities say he sold hundreds of stolen identities and provided proxy accounts and laptop farms to disguise foreign workers as US-based.

🔒 A sophisticated phishing campaign impersonating cryptocurrency broker Bitpanda has been uncovered by Cofense, employing a near-perfect fake login to steal credentials. Victims are guided through a staged MFA flow that requests names, phone numbers, addresses and dates of birth, enabling account takeover and identity abuse. The fraudulent landing page uses deceptive domains and urgent messaging before redirecting users to the real login page. Users should verify sender addresses, hover over links and access platforms via bookmarks rather than email links.

📞 Threat actors are combining device-code phishing and voice-based social engineering to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Instead of malicious apps, attackers leverage legitimate Microsoft OAuth client IDs and the standard device login workflow so victims unknowingly produce valid tokens and complete MFA. Security researchers suspect the ShinyHunters extortion group is involved; administrators should audit and revoke suspicious consents, disable the device code flow when not needed, and enforce conditional access policies.

🔒 A new Android banking trojan called Massiv is being distributed as a fake IPTV application to harvest credentials, perform keylogging, and seize remote control of infected devices. Researchers at ThreatFabric observed campaigns that targeted a Portuguese government app integrated with Chave Móvel Digital, enabling fraudsters to bypass KYC checks and open accounts in victims' names. Massiv supports live screen streaming via Android's MediaProjection API and a UI-tree mode using the Accessibility Service to extract interface elements, click controls, and bypass screen-capture protections.

🔒 CISA has issued an advisory for a critical Honeywell CCTV vulnerability tracked as CVE-2026-1670. An unauthenticated API endpoint can be abused to change the account recovery email, enabling account takeover and unauthorized access to camera feeds. The advisory lists several mid-range models; Honeywell users should contact support and limit network exposure until vendor guidance or patches are available.

🔒 CISA reports a critical vulnerability (CVE-2026-1670) in multiple Honeywell CCTV products that exposes an unauthenticated API endpoint allowing an attacker to change the forgot password recovery email. Successful exploitation can enable account takeover and unauthorized access to camera feeds, and the issue is scored CVSS v3.1 9.8 (CRITICAL). Affected firmware includes several 2MP and 25M IPC/PTZ variants. Honeywell recommends contacting support for patches; CISA urges reducing Internet exposure, segmenting networks, and using secure remote access.

🔒 The AgreeTo Outlook add-in was hijacked and turned into a full phishing kit that stole more than 4,000 Microsoft account credentials, researchers at Koi Security report. The module, listed on the Microsoft Office Add-in Store since December 2022, relied on an abandoned Vercel-hosted URL that an attacker claimed and used to serve a fake Microsoft sign-in page inside Outlook’s sidebar. Credentials, credit card details and banking security answers were exfiltrated via a Telegram bot API before victims were redirected to the real login page. Microsoft removed the add-in after the disclosure; users should uninstall AgreeTo and reset affected passwords.

🔒 The Netherlands Police arrested a 21-year-old man from Dordrecht accused of selling access to the JokerOTP phishing-as-a-service platform that captures one-time passwords to enable account takeover. Investigators say this is the third arrest after a three-year probe that dismantled the operation in April 2025 and previously identified a developer and a co-developer. The seller advertised license keys on Telegram, allowing subscribers to automate calls that tricked victims into revealing OTPs, PINs, and card data, leading to fraud and unauthorized transfers.

🔐 ZeroDayRAT is a commercial mobile spyware being sold on Telegram that grants attackers comprehensive remote control over Android (5–16) and iOS (up to 26) devices. The toolkit provides a management panel displaying device metadata and supports data theft, live audio/video capture, location tracking, SMS interception for OTPs, keylogging, and modules targeting cryptocurrency wallets and banking apps. iVerify warns it can enable enterprise breaches if employee devices are compromised and advises installing apps only from official stores and enabling protections such as Lockdown Mode on iOS and Advanced Protection on Android.

🎰 Two Connecticut residents, Amitoj Kapoor and Siddharth Lillaney, were federally indicted on 45 counts alleging a wide-ranging identity theft and gambling fraud scheme that generated about $3 million in illicit profits. Prosecutors say the men bought PII for roughly 3,000 victims on darknet markets and Telegram, used background-check services to pass verifications, and opened fraudulent accounts on FanDuel, DraftKings and BetMGM. Winnings were routed through virtual stored-value cards and then moved into accounts controlled by the defendants. Both were released on $300,000 bonds; the charges remain allegations.

🔍 Two Connecticut men were indicted for an alleged scheme that used about 3,000 stolen identities to defraud online gambling platforms, including FanDuel, of roughly $3 million. Prosecutors say Amitoj Kapoor and Siddharth Lillaney purchased PII on darknet markets and Telegram, maintained a spreadsheet called "Tracker.xlsx", and used services like TruthFinder and BeenVerified to pass verification. The indictment charges multiple counts including wire and identity fraud, aggravated identity theft, and money laundering; both were arrested and released on $300,000 bond.

🔐 German security agencies warn of an active campaign targeting high‑ranking politicians, soldiers, diplomats and journalists by seizing their Signal accounts. Attackers impersonate support teams to request secret PINs or trick users into approving device pairing via QR codes, then move the account to a number they control. No malware or software vulnerabilities are involved; the campaign relies on social engineering. Authorities note similar methods could be used against WhatsApp, and stress that official support will never request PINs via message.

🔒 Germany's Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) have issued a joint advisory about a likely state‑sponsored phishing campaign that abuses Signal's legitimate features to seize accounts. Threat actors impersonate "Signal Support" or a "Signal Security ChatBot" to solicit SMS PINs or trick victims into scanning QR codes, enabling account registration on attacker‑controlled devices or silent device linking. Authorities recommend enabling Registration Lock, avoiding sharing verification codes, and routinely reviewing linked devices; the same methods can be applied to WhatsApp.

⚠️ Germany's domestic intelligence agencies warn of suspected state-backed campaigns that hijack messaging accounts on Signal to target politicians, military officers, diplomats, and journalists. The attacks use social engineering rather than malware, abusing legitimate features such as QR-code pairing and SMS/PIN verification. Two variants are reported: a full account takeover and a silent device pairing that monitors chats and contacts. Authorities advise blocking/reporting support-like messages, enabling Registration Lock, and routinely checking linked devices.

🔒 Kyle Svara, 26, pleaded guilty in federal court to phishing access codes and hacking nearly 600 Snapchat accounts to steal nude photos that he kept, sold, or traded. Between May 2020 and February 2021 he used social engineering to harvest credentials from roughly 570 victims and accessed at least 59 accounts to download private images. Svara advertised hacking services online, communicated via Kik, and accepted paid jobs including work for former Northeastern coach Steve Waithe. He now faces multiple federal charges, and is scheduled for sentencing on May 18.

🔊Pindrop's 2025 report found a 1210% rise in AI-enabled voice and virtual meeting fraud versus a 195% increase in traditional fraud. Attackers use AI-driven voice bots and deepfakes to probe IVR systems, map workflows, and return later with tailored social engineering that bypasses controls. Deepfakes impersonating C-suite executives in real-time meetings and scripted low-value return schemes in retail are highlighted as scalable, hard-to-detect threats. Healthcare and retail are particularly exposed, with bots enabling account takeover of HSAs/FSAs and driving continuous low-dollar refund fraud.

🔒 OfferUp users face a range of scams — from counterfeit goods and overpayment ruses to account takeovers, phishing links and empty-box deliveries. The platform provides 48-hour Purchase Protection for qualified on-app purchases but excludes off‑app and cash transactions. Follow advised safeguards: stay in-app, avoid third-party payments, meet at Community Meetup Spots and protect verification codes and personal data.

🔒 Coinbase confirmed that a contractor improperly accessed data for approximately 30 customers in a December incident, and the individual no longer performs services for the company. Impacted users were notified, provided identity theft protection services, and Coinbase disclosed the incident to relevant regulators. Screenshots of an internal support panel briefly appeared on Telegram and were associated with the 'Shiny Lapsus Hunters' posts, showing customer PII, KYC details, and wallet balances, though attribution remains unclear.

📄 Forcepoint researchers describe a multi-stage phishing campaign that uses attached PDFs to redirect victims through cloud-hosted content to a fake Dropbox sign-in page. Attackers exploit spoofed or compromised senders and trusted services to bypass filters and authentication checks like SPF, DKIM, and DMARC. If credentials are entered they’re exfiltrated to attacker-controlled infrastructure for account takeover and fraud. The campaign succeeds because each step appears legitimate in isolation, exploiting habitual trust in PDFs and mainstream cloud services.

🔒 Have I Been Pwned reports that a January 2026 data breach at Panera Bread exposed roughly 5.1 million unique email addresses and associated contact information, rather than 14 million distinct customers as initially claimed. The files, totaling about 760 MB, were published by the ShinyHunters extortion group after an alleged failed ransom attempt. ShinyHunters says it gained access via a Microsoft Entra SSO code as part of a broader vishing campaign targeting SSO providers. Panera has confirmed the incident to authorities and said the data is contact information.