All news with #account takeover tag

Brazilian FinTech Sinqia Discloses $130M Pix Heist Attempt

🔒 Sinqia disclosed an attempted theft of approximately R$710 million (about $130m) from two banking customers processed through its Pix transaction environment on 29 August 2025. The company says attackers leveraged compromised credentials from an IT vendor, halted Pix processing, and engaged forensic teams while cooperating with regulators. A portion of the funds has been recovered and investigations, including law enforcement coordination, are ongoing.

A CISO’s Guide to Monitoring the Dark Web Effectively

🔍 Dark web monitoring gives CISOs timely, actionable intelligence that can reveal breaches, stolen credentials, and early indicators of ransomware campaigns. Continuous visibility into forums, marketplaces, and leak sites helps detect initial access brokers, stealer logs, and items like RDP/VPN access being sold, enabling rapid containment and credential revocation. Use platforms such as SpyCloud and DarkOwl, subscribe to threat feeds and ISACs, and augment with deception (honeypots, canary tokens) while integrating findings into SIEM/XDR and incident response playbooks.

Google Refutes Claims of Mass Gmail Password Alert

🔔 Google has disputed reports that it issued a blanket warning asking 2.5 billion Gmail users to reset passwords following a recent breach that allegedly affected some Workspace accounts. In a Monday blog post the company called those headlines false and emphasized that Gmail's protections block over 99.9% of phishing and malware. Google advised users to enable two-step verification and adopt passkeys, and it criticized the spread of unverified claims by media and security vendors.

Ukrainian AS FDN3 Linked to Massive Brute-Force Attacks

🔒 Intrinsec reports that Ukraine-based autonomous system FDN3 (AS211736) conducted widespread brute-force and password-spraying campaigns targeting SSL VPN and RDP endpoints between June and July 2025, with activity peaking July 6–8. The firm links FDN3 to two other Ukrainian ASes (AS61432, AS210950) and a Seychelles operator (AS210848) that frequently exchange IPv4 prefixes to evade blocklisting. Intrinsec highlights ties to bulletproof hosting providers and a Russian-associated Alex Host LLC, stressing that offshore peering arrangements complicate attribution and takedown efforts.

Amazon Disrupts APT29 Campaign Targeting Microsoft 365

🔒 Amazon disrupted an operation attributed to the Russian state-sponsored group APT29 that used watering-hole compromises to target Microsoft 365 accounts. The attackers injected obfuscated JavaScript into legitimate sites to redirect roughly 10% of visitors to fake Cloudflare verification pages and then into a malicious Microsoft device code authentication flow. Amazon isolated attacker EC2 instances and worked with Cloudflare and Microsoft to take down identified domains; the campaign did not affect Amazon's infrastructure.

When Browsers Become the Attack Surface: Rethinking Security

🔒 As enterprises shift more critical work to the browser, adversary Scattered Spider (UNC3944) targets live browser data—saved credentials, calendars, and session tokens—to achieve account takeover and persistent access. The article highlights techniques like Browser-in-the-Browser overlays, JavaScript injection, malicious extensions, and token theft that evade conventional EDR. It recommends elevating browser-native controls: runtime JavaScript protection, session-token binding, extension governance, API restrictions, and integrated browser telemetry so CISOs treat browser security as a primary defense layer.

Suspected Hacker Arrested for Tampering School Grades

🔒 Spanish police arrested a 21-year-old suspect in Seville accused of accessing the Andalusian Education Ministry's systems to alter high school and university entrance exam grades for himself and several classmates. Authorities say at least 13 university professors' work accounts across Almería, Cádiz, Córdoba, Seville and Jaén were compromised and emails accessed. Seized computer equipment and a notebook listing manipulated grades were recovered during the search, and regional security for the Séneca platform has been tightened.

WordPress Plugin and Theme Vulnerabilities Surge in 2025

⚠️ Recent investigations show a wave of active attacks against WordPress plugins and themes, including Gravity Forms, the Alone and Motors themes, and Post SMTP. Exploits have enabled remote code execution, administrator account takeover, and mass site compromise, while the Efimer trojan has been distributed from some infected sites. Vendors have issued patches, but many sites remain unpatched—site owners should update immediately and follow hardening best practices.

Feds Seize VerifTools Marketplace Selling Fake IDs

🚨 U.S. and Dutch authorities dismantled VerifTools, an illicit marketplace that produced and sold counterfeit driver's licenses, passports, and other identity documents used to bypass verification systems and facilitate fraud. Two domains and a blog were seized and redirected to an FBI splash page after servers in Amsterdam were confiscated. The FBI linked roughly $6.4 million in illicit proceeds to the service, which offered forged documents for as little as $9. Operators have since signaled a relaunch on a new domain.

Cloud CISO Perspectives: Fighting Cyber-Enabled Fraud

🔒 David Stone and Marina Kaganovich from Google Cloud’s Office of the CISO warn that cyber-enabled fraud (CEF) is scaling rapidly and presents severe financial and reputational risk. The post cites FBI data — $13.7 billion in losses in 2024 — and highlights common tactics such as phishing, ransomware, account takeover, and business email compromise. It urges CISOs and boards to shift from siloed defenses to a proactive, enterprise-wide posture using frameworks like FS-ISAC’s Cyber Fraud Prevention Framework and Google Cloud detection and protection capabilities.

Fake IT Support Phishing Targets Microsoft Teams Users

🔒 Researchers at Permiso have uncovered phishing campaigns that abuse Microsoft Teams by impersonating IT support to trick employees into installing remote access tools like QuickAssist and AnyDesk. Attackers gain full control of compromised endpoints, deploy credential-stealing malware and establish persistence. Campaigns are linked to the financially motivated actor EncryptHub and use simple impersonation tactics that bypass email defences. Security teams should monitor unusual external Teams activity and verify unexpected support requests.

Password Manager Auto-Fill Flaw, Quantum Risks, Devices

🔒 In this edition of the Smashing Security podcast Graham Cluley and guest Thom Langford examine how some password managers can be tricked into auto-filling secrets into cookie banners via a clickjacking sleight-of-hand. They discuss practical defenses for website owners and hardening steps for users to protect their personal vaults. The episode also covers post-quantum concerns—"harvest-now, decrypt-later"—Microsoft’s 2033 quantum-safe commitment, and device update risks including printers, plus lighter segments like a dodgy URL "shadyfier" and repurposing an iMac G4 as a media hub.

Retail and Hospitality Data Heists: Digital Extortion Trends

🔒Unit 42 describes how financially motivated actors blend reconnaissance and social engineering to target high-end retailers and other sectors, stealing customer data for extortion. Attackers commonly use voice-based phishing and impersonation to harvest credentials or trick users into running a modified Data Loader for Salesforce, then search SharePoint, Microsoft 365 and Salesforce for PII. Because intrusions often avoid malware, forensic artifacts are minimal, complicating detection and response.

Alleged Mastermind Behind K-Pop Stock Heist Extradited

🔒 South Korean authorities have extradited a 34-year-old suspect from Thailand, accused of masterminding a coordinated campaign that siphoned millions in stocks from celebrities, including Jung Kook. Investigators say the group stole personal data from Korean telecom firms, used it to assume victims' identities and opened brokerage accounts between August 2023 and January 2024. With assistance from Interpol and Thai authorities, officials tracked and arrested the suspect, who has admitted some allegations while denying others.

HOOK Android Trojan Adds Ransomware Overlays, Expands

🔒 Cybersecurity researchers at Zimperium zLabs have identified a new HOOK Android banking trojan variant that deploys full-screen ransomware-style overlays to extort victims. The overlay is remotely triggered via the command "ransome" and displays a warning, wallet address and amount, and can be dismissed by the attacker with "delete_ransome". An offshoot of ERMAC, the latest HOOK builds on banking malware techniques and now supports 107 remote commands, introducing transparent gesture-capture overlays, fake NFC and payment screens, and deceptive unlock prompts to harvest credentials and crypto recovery phrases.

Major Corporation Uses '123456' for Critical Access

🔒 McDonald's reportedly configured a major corporate system with the password 123456, illustrating a glaring failure in basic security hygiene. That weak credential makes systems trivially susceptible to brute-force and credential-stuffing attacks and indicates lax oversight of password policies, privileged accounts, and access controls. Immediate remediation should include forcing password rotation, deploying multi-factor authentication, implementing centralized secrets management, and auditing privileged access.

Transparent Tribe Targets Indian Govt with Shortcut Malware

🔒 Transparent Tribe (APT36) has been observed delivering weaponized desktop shortcut files to compromise both Windows and BOSS Linux systems at Indian government organizations. Reports from CYFIRMA, CloudSEK, Hunt.io, and Nextron Systems describe Go-based droppers, hex-encoded ELF payloads, and cron-based persistence. The campaign uses spear-phishing lures and typo-squatted domains with decoy PDFs to harvest credentials and target Kavach two-factor authentication, while deploying backdoors such as Poseidon and MeshAgent to maintain long-term access.

Weak Passwords Fuel Rise in Compromised Accounts in 2025

🔐 The Picus Blue Report 2025 finds that password cracking succeeded in 46% of tested environments, while Valid Accounts (T1078) exploitation achieved a 98% success rate. Many organizations still rely on weak passwords, outdated hashing, and lax internal controls, leaving credential stores exposed. The report urges adoption of widespread MFA, stronger password policies, routine credential-validation simulations, and improved behavioral detection to reduce undetected lateral movement and data theft.

Scattered Spider Member Sentenced to 10 Years in US

🔒 Noah Michael Urban, a 20-year-old member of the Scattered Spider cybercrime gang, was sentenced to 120 months in federal prison after pleading guilty to wire fraud and aggravated identity theft in April 2025. The court also ordered $13 million in restitution and three years of supervised release; Urban called the sentence unjust. Prosecutors say Urban and co-conspirators used SIM swapping and social engineering between August 2022 and March 2023 to steal at least $800,000 and hijack cryptocurrency accounts. His case is part of broader DoJ actions against Scattered Spider as the group forges alliances with other criminal collectives.

SIM-Swapper Scattered Spider Hacker Sentenced 10 Years

🔒 A 20-year-old Florida man, Noah Michael Urban, was sentenced to 10 years in federal prison and ordered to pay about $13 million in restitution after pleading guilty to wire fraud and conspiracy. Prosecutors say Urban acted with members of Scattered Spider, using SIM-swapping and SMS phishing to divert calls and one-time codes and to phish employees into fake Okta pages. The campaign compromised access at more than 130 firms and enabled thefts of proprietary data and millions in cryptocurrency.