All news with #account takeover tag

Microsoft: 'Payroll Pirates' Hijack HR SaaS Accounts

🔒 Microsoft warns that a financially motivated group tracked as Storm-2657 is hijacking employee accounts to redirect payroll by altering profiles in third-party HR SaaS platforms such as Workday. Attacks rely on AitM phishing, MFA gaps and SSO abuse rather than software vulnerabilities. Observed tactics include creating inbox rules to delete warning notifications and enrolling attacker-controlled phone numbers for persistent access. Microsoft reported compromises at multiple U.S. universities and recommends phishing-resistant, passwordless MFA such as FIDO2 keys, and reviews of MFA devices and mailbox rules to detect takeover.

Universities Targeted in 'Payroll Pirate' Workday Hijacks

🔐 Microsoft says the Storm-2657 gang has been targeting U.S. university HR employees since March 2025 in “payroll pirate” attacks that aim to hijack salary payments by compromising Workday accounts and Exchange Online mailboxes. Attackers use tailored phishing themes—campus illness, faculty misconduct, executive impersonation—and adversary‑in‑the‑middle (AITM) links to steal MFA codes and gain access. They then set inbox rules to hide warnings, adjust payroll SSO settings, and sometimes enroll attacker phone numbers as MFA devices; Microsoft urges deployment of phishing‑resistant MFA and offers investigative guidance.

Investigating Payroll Pirate Attacks on US Universities

🔍 Microsoft Threat Intelligence observed a financially motivated actor tracked as Storm-2657 conducting targeted 'payroll pirate' intrusions against US universities to divert salary payments. The actor used realistic phishing and adversary-in-the-middle (AiTM) links to harvest credentials and MFA codes, gained access to Exchange Online, abused SSO to reach Workday profiles, and created inbox rules to hide payroll notifications. Microsoft recommends adopting phishing-resistant, passwordless MFA and provides detections and remediation guidance.

Critical Service Finder Bug Lets Attackers Hijack Sites

🔒 A critical authentication bypass in the Service Finder Bookings plugin (CVE-2025-5947, CVSS 9.8) allows unauthenticated attackers to sign in as any user, including administrators. The root cause is improper cookie validation in the account-switching function service_finder_switch_back(), which enables privilege escalation. Maintainers released Service Finder version 6.1 on July 17, 2025 to address the issue, and exploitation attempts have been observed since August 1, 2025. Administrators should upgrade immediately and audit sites for unauthorized accounts or unexpected changes.

Rising Digital Fraud Costs Companies 7.7% of Revenue

📈 TransUnion's H2 2025 update warns that rising digital fraud is costing firms an average of 7.7% of annual revenue, amounting to an estimated $534bn in global losses. US businesses reported heavier impacts — 9.8% of revenue, or roughly $114bn — driven by a surge in account takeover and synthetic identity fraud. The report urges firms to move beyond reactive defenses and strengthen identity verification across digital touchpoints.

Cybersecurity Awareness Month 2025: Move Beyond Passwords

🔐 October's Cybersecurity Awareness Month reminds users that passwords alone no longer provide reliable protection. Adopt MFA wherever possible—prefer authenticator apps or hardware security keys over SMS—and consider emerging passwordless options such as passkeys. Organizations should enforce strong authentication to protect systems, customers and reputation. Watch ESET's video with Tony Anscombe for practical guidance.

Responding to Cloud Incidents: Investigation and Recovery

🔍 Unit 42 outlines a structured approach to investigating and responding to cloud incidents, noting that 29% of 2024 incident investigations involved cloud or SaaS environments. The guidance emphasizes a shift from endpoint-centric forensics to focus on identities, misconfigurations and service interactions. It recommends enabling and centralizing logs, retaining them for at least 90 days, and preparing for rapid evidence collection and VM/container imaging. The article stresses identity forensics, behavioral baselining and surgical containment to avoid alerting adversaries.

WhatsApp phishing: fake vote pages hijack accounts

🔒 Kaspersky analyzed a global phishing campaign that uses convincing fake voting pages to hijack WhatsApp accounts. Attackers lure victims with personalized requests and multilingual scam pages; when users click Vote they’re prompted for the phone number linked to their account and shown a single‑use verification code. Victims who then enter or paste that code in their WhatsApp app inadvertently activate a remote WhatsApp Web session, giving attackers full access. Immediately check Linked devices, disconnect unknown sessions, and follow Kaspersky’s recovery and prevention guidance.

Solicitors urged to curb payment diversion fraud losses

🔒 The National Crime Agency and The Law Society have warned that UK house buyers faced average losses of £82,000 from payment diversion fraud over the past year. This form of payment diversion fraud (PDF) — a type of business email compromise — relies on hijacked or spoofed emails and lookalike domains to alter bank transfer instructions. The campaign urges solicitors and conveyancers to tighten checks and advises clients to verify bank details, use strong passwords, avoid public Wi‑Fi and transfer small initial amounts to confirm receipt.

Broadcom Patches VMware NSX Username-Enumeration Flaws

🔒 Broadcom released updates addressing two high-severity VMware NSX vulnerabilities reported by the U.S. National Security Agency (NSA). The flaws (CVE-2025-41251 and CVE-2025-41252) permit unauthenticated attackers to enumerate valid usernames via a weak password-recovery flow and a separate enumeration vector, which could be used to support brute-force or unauthorized login attempts. Administrators should apply the vendor patches immediately and verify recovery workflows and logging.

Inside a Convincing Phone Scam: Social Engineering Exposed

🔍 A reader recounts a sophisticated phone scam in which callers posed as bank employees and provided plausible details to build trust. The scammers supplied case numbers and 'cancellation codes,' then transferred the victim to a staged supervisor named Mike Wallace to legitimize their story. Even security-aware individuals can be deceived; the anecdote illustrates how social engineering exploits procedural expectations and authority. Independently verify any unexpected bank contact via official channels before taking action.

Datzbro Android Trojan Targets Seniors for DTO Fraud

🛡️ThreatFabric disclosed a newly observed Android banking trojan named Datzbro that targets elderly users via Facebook groups promoting senior activities. Attackers lure victims to install purported community apps (Android APKs and placeholder iOS TestFlight links) via Messenger or WhatsApp; payloads either install Datzbro directly or use a Zombinder dropper to bypass Android 13+ protections. Datzbro abuses Android Accessibility services to perform device takeover, overlay attacks, keylogging and remote control, enabling credential theft and fraudulent transactions. The malware is tied to a Chinese-language desktop C2 and contains Chinese debug strings, suggesting origin and potential wider distribution.

Akira Bypasses MFA on SonicWall VPNs via Reused Logins

🔐Akira ransomware operators are successfully authenticating to SonicWall SSL VPN accounts even when one-time password (OTP) multi-factor authentication is enabled. Arctic Wolf links the logins to credentials and OTP seeds harvested via an improper access control flaw tracked as CVE-2024-40766, and notes attackers can reuse those secrets after devices are patched. Once inside, actors rapidly scan internal networks, harvest backup server credentials, and use techniques such as BYOVD to sideload vulnerable drivers and disable protections. Administrators are urged to install the latest SonicOS (recommended 7.3.0) and reset all SSL VPN credentials immediately.

Defending Against Credential Attacks with Hybrid Mesh

🔐 Credential-based attacks are at epidemic levels: the 2025 Verizon DBIR shows 22% of breaches begin with compromised credentials, and Check Point's External Risk Management saw leaked credential volumes rise 160% year‑over‑year. Attackers increasingly prefer to "log in" rather than "hack in," exploiting exposed passwords, tokens, API keys and OAuth abuse. The article recommends a hybrid mesh architecture that unifies identity, network, endpoint and cloud telemetry to apply context-aware, adaptive access controls, improved credential hygiene, and faster detection and response.

Roblox executors: cheat tools that bring security risks

⚠️ Downloading third-party Roblox "executors" — tools that inject and run unauthorized scripts in games — can lead to account bans and serious security incidents. Malicious actors distribute fake or trojanised versions of popular tools such as Synapse X and Solara, sometimes bundling ransomware or backdoors. These installers may ask users to disable antivirus protections, which is a clear warning sign. Parents should steer children toward official features and avoid unverified downloads to keep accounts and devices safe.

AWS WAF Bot, Fraud & DDoS Rule Group Expands Regions

🔒 AWS WAF's Targeted Bot Control, Fraud, and DDoS Prevention Rule Group are now available in Asia Pacific (Taipei), Asia Pacific (Bangkok), and Mexico (Central). These managed rule groups deliver detection and mitigations for sophisticated bots, application-layer DDoS, and account-takeover attacks at the web edge. Customers can deploy them to improve application resilience, reduce fraudulent activity, and limit resource consumption during attack campaigns.

SpyCloud: Identity Blind Spots Raise Ransomware Risk

🔒 The SpyCloud 2025 Identity Threat Report exposes a gap between confidence and capability: 86% of security leaders say they can prevent identity-based attacks, yet 85% of organizations experienced ransomware in the past year, with over one-third hit six to ten times. A survey of 500+ security leaders in North America and the UK highlights identity sprawl across SaaS, unmanaged devices and third-party ecosystems. The report notes phishing, credential reuse and exposed sessions increasingly enable persistent access. It warns that most organizations lack automated remediation, repeatable workflows and formal investigation protocols.

Lovense app flaws let attackers deanonymize, hijack

🔒 Researchers disclosed two critical vulnerabilities in Lovense remote-control software that exposed real user email addresses and allowed attackers to generate authentication tokens using only an email, without passwords. Combined, these flaws enabled account takeover across multiple products including Lovense Remote, Lovense Connect and streaming extensions. Reported in spring 2025, fixes were delayed and fully applied only after public disclosure; users should consider separate emails and strong, unique passwords.

PyPI warns users to reset credentials after phishing

🔒 The Python Software Foundation warns of a phishing campaign using a convincing fake PyPI site at pypi-mirror[.]org that asks users to 'verify their email address' and threatens account suspension. If you clicked the link and submitted credentials, change your password immediately, inspect your account's Security History, and report suspicious activity to security@pypi.org. Maintainers should avoid clicking links in unsolicited emails, use password managers that auto-fill only on matching domains, and enable phishing-resistant 2FA such as hardware security keys.

AI-Obfuscated SVG Phishing Campaign Detected and Blocked

🔍 Microsoft Threat Intelligence detected and blocked a credential-phishing campaign that likely leveraged AI-generated code to obfuscate its payload inside an SVG attachment. The malicious SVG imitated a PDF and hid JavaScript within invisible, business-themed elements and a long sequence of business terms that the embedded script decoded into redirects, browser fingerprinting, and session tracking. Microsoft Defender for Office 365 blocked the activity by correlating infrastructure, behavioral, and message-context signals, while Security Copilot flagged the code as likely LLM-generated.