All news with #account takeover tag

🔐 Proofpoint has observed a sharp increase in phishing campaigns that abuse Microsoft's OAuth device code authorization flow to gain access to Microsoft 365 accounts. Attackers use social engineering — QR codes, embedded buttons and hyperlinks — to trick users into entering device codes on Microsoft's legitimate verification page, which yields valid access tokens. Readily available tools such as SquarePhish2 and Graphish have lowered the bar for both state-aligned and financially motivated actors.

🎧 In episode #448 of Smashing Security, Graham Cluley and guest Danny Palmer discuss a Black Hat Europe disclosure showing how a boobytrapped audiobook could exploit an Amazon Kindle e‑reader. The research suggests a malformed audio file might let an attacker gain persistent access, break into an account and seize a saved credit card. The episode also revisits Ireland’s HSE ransomware fallout, where victims were reportedly offered €750 each, and includes a Pick of the Week. Listeners are urged to keep devices updated and monitor accounts for suspicious activity.

🔒 Threat actors are abusing WhatsApp's legitimate device-linking feature in a campaign named GhostPairing, tricking victims into entering pairing codes on fake verification pages. Once a code is submitted, attackers gain full access to conversations and shared media and can send messages as the victim to propagate the lure. Users should check Settings → Linked Devices for unauthorized sessions, block and report suspicious messages, and enable two-factor authentication.

🔒 Kaspersky describes a phishing campaign that abuses Telegram Mini Apps to harvest credentials by promising free NFT-style 'gifts' and airdrops. Attackers embed convincing fake Mini Apps inside the official Telegram client, exploiting users' trust in in-app content and minimal platform vetting. Kaspersky urges users to verify sources, avoid entering login codes inside Mini Apps, enable two-step verification and passkeys, and store credentials in a password manager.

🔒 Nathan Austad, 21, pleaded guilty to conspiring to commit computer intrusion after participating in a credential stuffing campaign that compromised more than 60,000 user accounts on a fantasy sports betting site in November 2022. Prosecutors say attackers added payment methods, drained balances and sold account access on online marketplaces; roughly $600,000 was stolen from about 1,600 victims. Investigators say Austad ran an online shop and controlled cryptocurrency wallets that received approximately $465,000 in proceeds. He acknowledged awareness of an active investigation and faces up to five years in prison, with sentencing scheduled for April 10, 2026.

🔎An extensive international gray market for physical and virtual SIM cards is enabling large-scale verification of fake accounts, a study by the University of Cambridge finds. Providers such as SMSActivate, 5Sim, SMShub and SMSPVA supply numbers used to create and verify bot armies across WhatsApp, Telegram, Facebook, X, TikTok and e-commerce sites. The researchers published the COTSI index to track daily SMS verification prices in 197 countries and observed notable price spikes for WhatsApp and Telegram ahead of national elections, highlighting risks for fraud, influence operations and phishing.

📷 South Korean authorities arrested four suspects after roughly 120,000 internet-connected IP cameras in homes and businesses were breached and sexually explicit footage was sold on an overseas adult site. Investigators indicate attackers likely exploited weak or default credentials and unpatched device software. Owners should replace factory passwords, use unique credentials and enable two-factor authentication; consider a reputable password manager such as Kaspersky Password Manager to generate and store strong, random passwords and one-time codes.

🔒 A new variant of the ClickFix social‑engineering technique, called ConsentFix, abuses the Azure CLI OAuth flow to hijack Microsoft accounts without passwords or MFA. Discovered by Push Security, the campaign lures targets via compromised high‑ranking websites and a fake Cloudflare Turnstile CAPTCHA to filter victims. The attack captures an OAuth authorization code returned to a localhost redirect and instructs the user to paste the URL, enabling the attacker to exchange the code for an Azure CLI access token and take control of the account.

🔐 Beginning December 2, a campaign using more than 7,000 IPs from German host 3xK GmbH (AS200373) carried out brute-force login attempts against Palo Alto GlobalProtect portals and soon pivoted to scanning SonicWall SonicOS API endpoints. GreyNoise links the activity to three recurring client fingerprints seen in prior scans and to earlier campaigns that generated millions of HTTP sessions. Organizations should monitor authentication velocity and failures, block implicated IPs and fingerprints, and enforce MFA to reduce credential abuse.

🔒 Freedom Mobile detected a breach of its customer account management platform on October 23 after a third party used the account of a subcontractor to access customer records. The carrier says it blocked suspicious accounts and IP addresses and implemented corrective measures and security enhancements. Exposed data include first and last names, home addresses, dates of birth, phone numbers, and Freedom account numbers. Freedom reports no evidence so far of misuse and has urged customers to watch for phishing and check accounts for unusual activity.

🔒 India's Department of Telecommunications (DoT) has directed messaging apps to bind accounts to an active, KYC‑verified SIM linked to the user's mobile number, with platforms required to comply within 90 days. The amendment to the Telecommunications (Telecom Cyber Security) Rules, 2024 aims to curb phishing, cross‑border fraud and remote account takeovers by closing gaps from long‑lived web/desktop sessions. Providers must enforce continuous SIM linkage and force web sessions to log out every six hours, requiring QR re‑linking. The DoT also announced a Mobile Number Validation (MNV) platform for decentralized, privacy‑compliant verification.

🛡️ The hiring pipeline is being exploited by sophisticated threat actors who create fake personas—complete with fabricated resumes, AI-generated videos, and stolen identities—to secure privileged remote roles inside organizations. Once hired these imposters can exfiltrate data, plant backdoors, or extort employers, making the risk especially acute for MSPs that manage multiple clients. Strengthening HR verification, staged access provisioning, hardware-based MFA, network segmentation, and ongoing security awareness training are essential to mitigate this insider impersonation threat.

⚽ The French Football Federation (FFF) disclosed a data breach after attackers used a compromised account to access administrative management software used by clubs. FFF detected the unauthorized access, disabled the compromised account, and reset all user passwords across the system. Before they were evicted, threat actors exfiltrated personal and contact information for members. The federation said it has filed a criminal complaint, notified regulators, and will directly inform affected individuals while urging vigilance against phishing attempts.

🔒 Since January 2025 the FBI reports account takeover (ATO) schemes have produced losses exceeding $262 million. Cybercriminals impersonate bank, payroll and health account providers and use phishing domains, SEO poisoning and social engineering to harvest credentials and one-time codes. The Bureau recommends enabling MFA, using unique complex passwords, monitoring accounts regularly, avoiding search ads and verifying unsolicited calls or messages before sharing any login information.

🔐 The FBI warns that cybercriminals impersonating banks and payment services have caused over $262 million in losses this year through account takeover (ATO) fraud and more than 5,100 complaints. Attackers use phishing, SEO poisoning, calls and SMS to harvest credentials and MFA/OTP codes, then transfer funds to intermediary accounts and convert proceeds to cryptocurrency. The advisory highlights growing use of AI-generated phishing and holiday-themed scams and urges vigilance, unique passwords, URL checks and stronger authentication.

⚠️ The FBI warns that cybercriminals impersonating bank and payroll support teams have stolen over $262 million in account takeover (ATO) fraud since January 2025, with more than 5,100 complaints reported to the Internet Crime Complaint Center. Attackers use calls, texts, phishing sites and SEO‑poisoned search results to harvest credentials and MFA/OTP codes, then quickly wire funds to crypto wallets and lock owners out. The FBI advises monitoring accounts, using unique complex passwords, enabling MFA, bookmarking official banking sites, contacting financial institutions immediately to request recalls and indemnification, and filing detailed complaints with IC3.

🛡️ FortiGuard Labs' 2025 holiday analysis documents a marked increase in malicious infrastructure, credential theft, and targeted exploitation of e-commerce systems during the pre-holiday period. Attackers registered tens of thousands of holiday- and retail-themed domains and sold over 1.57 million account records from stealer logs, fueling credential stuffing and account takeover. The report highlights active exploitation of critical flaws in platforms such as Magento, Oracle EBS, and WooCommerce, and emphasizes urgent mitigations: patching, MFA, bot management, domain monitoring, and payment-page integrity checks to reduce fraud and protect customers.

🔒 Social media influencers are increasingly attractive targets for cybercriminals who hijack trusted accounts to distribute scams, malware and fraudulent offers. Attackers use spearphishing, credential stuffing, brute-force attacks and SIM swapping, and AI is making those lures more convincing. Compromised accounts may be sold or used to push crypto and investment scams, exfiltrate follower data or extort victims. Practical defences include long, unique passwords, app-based 2FA, phishing awareness, device separation and up-to-date security software.

🔒 The Google Ads account for Cologne-based retailer Music Store was reportedly taken over by attackers on 19 October 2025. Criminals have linked more than 2,500 foreign advertising accounts to the company’s payment profile and are running persistent campaigns promoting online casinos and crypto exchanges that administrators cannot remove. The assigned Google account manager has reportedly been unable to stop the activity, and formal attempts to get intervention via official channels have so far failed. Police cybercrime investigators and consumer protection authorities have been notified, and reported losses exceed €4 million.

🔒 CTM360 reports a large-scale campaign, dubbed HackOnChat, that deploys deceptive web portals and impersonation pages to compromise WhatsApp accounts worldwide. Attackers rapidly create thousands of malicious URLs on inexpensive domains and web-building platforms, luring users with fake security alerts and lookalike login pages. Once accounts are taken, they are abused to defraud contacts, harvest sensitive data, and expand the scam.