All news with #account takeover tag

Whisper 2FA Drives Nearly One Million Phishing Attacks

🛡️ Whisper 2FA has emerged as a highly active phishing kit, responsible for almost one million attacks since July 2025, according to Barracuda. The platform leverages AJAX to create a live relay between victims and attackers, repeatedly capturing passwords and MFA codes until a valid token is obtained. Campaigns impersonate services like DocuSign, Adobe and Microsoft 365 and use urgent lures such as invoices or voicemail notices. Rapid evolution, dense obfuscation and anti-debugging measures make detection and analysis increasingly difficult.

Google introduces Recovery Contacts to aid account recovery

🔒 Google is introducing Recovery Contacts, a new account-recovery option that lets you designate trusted friends or family to help regain access if you lose a password or device. When you request help, you share a one-time verification code with your chosen contact; they receive an email or notification and confirm the code to verify it’s really you. Your recovery contact will not have access to your account or personal data. The feature complements passkeys and existing recovery tools and is rolling out now.

Anatomy of a BlackSuit Ransomware Blitz at Manufacturer

🔐 Unit 42 responded to a significant BlackSuit ransomware campaign after attackers obtained VPN credentials via a vishing call and immediately escalated privileges. The adversary executed DCSync, moved laterally with RDP/SMB using tools like Advanced IP Scanner and SMBExec, established persistence with AnyDesk and a custom RAT, and exfiltrated over 400 GB before deploying BlackSuit across ~60 ESXi hosts. Unit 42 expanded Cortex XDR visibility from 250 to over 17,000 endpoints and used Cortex XSOAR to automate containment while delivering prioritized remediation guidance.

Chinese Hackers Turn ArcGIS Server into Year-Long Backdoor

🛡️ReliaQuest attributes a campaign to China-linked group Flax Typhoon that compromised a public-facing ArcGIS server by converting a Java Server Object Extension (SOE) into a gated web shell, maintaining access for over a year. The attackers embedded a hard-coded key and hid the backdoor in system backups to survive full system recovery. They uploaded a renamed SoftEther executable (bridge.exe), created a "SysBridge" service to persist, and used an outbound HTTPS VPN bridge to extend the victim network for covert lateral movement. Investigators observed credential theft, admin account resets, and extensive living-off-the-land activity to evade detection.

Legacy Windows Protocols Enable Network Credential Theft

🔒 Resecurity warns that legacy Windows name-resolution protocols continue to expose organisations to credential theft when attackers share the same local network. By poisoning LLMNR and NBT-NS broadcasts using tools such as Responder, attackers can capture usernames, domain context and password hashes without exploiting a software vulnerability. Recommended mitigations include disabling these protocols via Group Policy, blocking UDP 5355, enforcing SMB signing, reducing NTLM, and monitoring for anomalous traffic.

Cyberattack Targets German Federal Employment Agency

🔒 In a coordinated operation, eight suspects attempted to hijack unemployment payments by accessing roughly 20,000 accounts of the Federal Employment Agency (BA) between late January and mid‑March. Investigators report about 1,000 accounts were accessed and bank details altered in 150 cases; early intervention limited losses to under €1,000. Searches across several states recovered devices, cash, weapons and narcotics, and two suspects are currently detained.

Massive Multi-Country Botnet Targets US RDP Services

🔍 Researchers at GreyNoise have identified a large-scale, multi-country botnet that began targeting Remote Desktop Protocol (RDP) services in the United States on October 8. The campaign uses over 100,000 IP addresses and employs two RDP-specific techniques: RD Web Access timing attacks to infer valid usernames and RDP Web Client login enumeration to observe differing server behaviors. Nearly all sources share a common TCP fingerprint, indicating coordinated clusters. Administrators should block attacking IPs, review RDP logs, and avoid exposing remote desktop services to the public internet—use VPNs and enable multi-factor authentication.

SonicWall SSLVPN Accounts Breached With Stolen Credentials

🛡️ Researchers report that threat actors have compromised more than a hundred SonicWall SSLVPN accounts in a large-scale campaign that began on October 4 and persisted through at least October 10. The attackers appear to be using valid, stolen credentials rather than brute-force methods, and many malicious requests originated from IP 202.155.8[.]73. After authenticating, actors conducted reconnaissance and attempted lateral movement to access numerous local Windows accounts; investigators recommend immediate secret rotation, strict access restrictions, and multi-factor authentication for all admin and remote accounts.

Spain Dismantles GXC Team Cybercrime Syndicate, Leader Held

🔒 Spanish Guardia Civil have dismantled the GXC Team cybercrime syndicate and arrested its alleged leader, a 25-year-old Brazilian known as GoogleXcoder. The group operated a crime-as-a-service platform on Telegram and a Russian-speaking forum, selling AI-driven phishing kits, Android malware that intercepted SMS/OTPs, and voice-scam tools. Authorities seized devices, source code, communication logs, and recovered stolen cryptocurrency. Nationwide raids on May 20 led to channel takedowns and the identification of additional suspects; the investigation remains ongoing.

Microsoft: 'Payroll Pirates' Hijack HR SaaS Accounts

🔒 Microsoft warns that a financially motivated group tracked as Storm-2657 is hijacking employee accounts to redirect payroll by altering profiles in third-party HR SaaS platforms such as Workday. Attacks rely on AitM phishing, MFA gaps and SSO abuse rather than software vulnerabilities. Observed tactics include creating inbox rules to delete warning notifications and enrolling attacker-controlled phone numbers for persistent access. Microsoft reported compromises at multiple U.S. universities and recommends phishing-resistant, passwordless MFA such as FIDO2 keys, and reviews of MFA devices and mailbox rules to detect takeover.

Universities Targeted in 'Payroll Pirate' Workday Hijacks

🔐 Microsoft says the Storm-2657 gang has been targeting U.S. university HR employees since March 2025 in “payroll pirate” attacks that aim to hijack salary payments by compromising Workday accounts and Exchange Online mailboxes. Attackers use tailored phishing themes—campus illness, faculty misconduct, executive impersonation—and adversary‑in‑the‑middle (AITM) links to steal MFA codes and gain access. They then set inbox rules to hide warnings, adjust payroll SSO settings, and sometimes enroll attacker phone numbers as MFA devices; Microsoft urges deployment of phishing‑resistant MFA and offers investigative guidance.

Investigating Payroll Pirate Attacks on US Universities

🔍 Microsoft Threat Intelligence observed a financially motivated actor tracked as Storm-2657 conducting targeted 'payroll pirate' intrusions against US universities to divert salary payments. The actor used realistic phishing and adversary-in-the-middle (AiTM) links to harvest credentials and MFA codes, gained access to Exchange Online, abused SSO to reach Workday profiles, and created inbox rules to hide payroll notifications. Microsoft recommends adopting phishing-resistant, passwordless MFA and provides detections and remediation guidance.

Critical Service Finder Bug Lets Attackers Hijack Sites

🔒 A critical authentication bypass in the Service Finder Bookings plugin (CVE-2025-5947, CVSS 9.8) allows unauthenticated attackers to sign in as any user, including administrators. The root cause is improper cookie validation in the account-switching function service_finder_switch_back(), which enables privilege escalation. Maintainers released Service Finder version 6.1 on July 17, 2025 to address the issue, and exploitation attempts have been observed since August 1, 2025. Administrators should upgrade immediately and audit sites for unauthorized accounts or unexpected changes.

Rising Digital Fraud Costs Companies 7.7% of Revenue

📈 TransUnion's H2 2025 update warns that rising digital fraud is costing firms an average of 7.7% of annual revenue, amounting to an estimated $534bn in global losses. US businesses reported heavier impacts — 9.8% of revenue, or roughly $114bn — driven by a surge in account takeover and synthetic identity fraud. The report urges firms to move beyond reactive defenses and strengthen identity verification across digital touchpoints.

Cybersecurity Awareness Month 2025: Move Beyond Passwords

🔐 October's Cybersecurity Awareness Month reminds users that passwords alone no longer provide reliable protection. Adopt MFA wherever possible—prefer authenticator apps or hardware security keys over SMS—and consider emerging passwordless options such as passkeys. Organizations should enforce strong authentication to protect systems, customers and reputation. Watch ESET's video with Tony Anscombe for practical guidance.

Responding to Cloud Incidents: Investigation and Recovery

🔍 Unit 42 outlines a structured approach to investigating and responding to cloud incidents, noting that 29% of 2024 incident investigations involved cloud or SaaS environments. The guidance emphasizes a shift from endpoint-centric forensics to focus on identities, misconfigurations and service interactions. It recommends enabling and centralizing logs, retaining them for at least 90 days, and preparing for rapid evidence collection and VM/container imaging. The article stresses identity forensics, behavioral baselining and surgical containment to avoid alerting adversaries.

WhatsApp phishing: fake vote pages hijack accounts

🔒 Kaspersky analyzed a global phishing campaign that uses convincing fake voting pages to hijack WhatsApp accounts. Attackers lure victims with personalized requests and multilingual scam pages; when users click Vote they’re prompted for the phone number linked to their account and shown a single‑use verification code. Victims who then enter or paste that code in their WhatsApp app inadvertently activate a remote WhatsApp Web session, giving attackers full access. Immediately check Linked devices, disconnect unknown sessions, and follow Kaspersky’s recovery and prevention guidance.

Solicitors urged to curb payment diversion fraud losses

🔒 The National Crime Agency and The Law Society have warned that UK house buyers faced average losses of £82,000 from payment diversion fraud over the past year. This form of payment diversion fraud (PDF) — a type of business email compromise — relies on hijacked or spoofed emails and lookalike domains to alter bank transfer instructions. The campaign urges solicitors and conveyancers to tighten checks and advises clients to verify bank details, use strong passwords, avoid public Wi‑Fi and transfer small initial amounts to confirm receipt.

Broadcom Patches VMware NSX Username-Enumeration Flaws

🔒 Broadcom released updates addressing two high-severity VMware NSX vulnerabilities reported by the U.S. National Security Agency (NSA). The flaws (CVE-2025-41251 and CVE-2025-41252) permit unauthenticated attackers to enumerate valid usernames via a weak password-recovery flow and a separate enumeration vector, which could be used to support brute-force or unauthorized login attempts. Administrators should apply the vendor patches immediately and verify recovery workflows and logging.

Inside a Convincing Phone Scam: Social Engineering Exposed

🔍 A reader recounts a sophisticated phone scam in which callers posed as bank employees and provided plausible details to build trust. The scammers supplied case numbers and 'cancellation codes,' then transferred the victim to a staged supervisor named Mike Wallace to legitimize their story. Even security-aware individuals can be deceived; the anecdote illustrates how social engineering exploits procedural expectations and authority. Independently verify any unexpected bank contact via official channels before taking action.