All news with #account takeover tag

🔍 North Korean-linked operators abuse Google Find Hub to locate targets' Android devices and issue remote factory resets after compromising Google accounts. The attacks focus on South Koreans and begin with social engineering over KakaoTalk, using signed MSI lures that deploy AutoIT loaders and RATs such as Remcos, Quasar, and RftRAT. Wiping devices severs mobile KakaoTalk alerts so attackers can hijack PC sessions to spread malware. Recommended defenses include enabling multi-factor authentication, keeping recovery access ready, and verifying unexpected files or messages before opening.

⚠️ The North Korea-linked Konni threat actor has been observed combining spear-phishing and signed installers to compromise Windows and Android systems and exfiltrate credentials. Genians Security Center reports attackers used stolen Google account credentials to access Google Find Hub and remotely reset devices, causing unauthorized data deletion. The campaign, detected in early September 2025, uses malicious MSI packages and RATs including EndRAT and Remcos to maintain long-term access and propagate via compromised KakaoTalk sessions.

📱 The Swiss NCSC warns of smishing attacks that impersonate Apple's Find My team, telling owners their lost iPhone has been found to lure them to a fake login page. Messages can cite device details visible on the lock screen and use the displayed contact info to target victims. The counterfeit pages request the user's Apple ID and password, which attackers then use to remove Activation Lock. Users should enable Lost Mode, avoid unsolicited links, use a dedicated contact email, and protect their SIM with a PIN.

🔐 The article outlines how everyday credential reuse and phishing feed a persistent compromise lifecycle: credentials are created, stolen, aggregated, tested, and ultimately exploited. It details common vectors — phishing, credential stuffing, third-party breaches, and leaked API keys — and describes criminal marketplaces, botnets, opportunistic fraudsters, and organized crime as distinct actors. Consequences include account takeover, lateral movement, data theft, resource abuse, and ransomware, and the piece urges immediate action such as scanning for leaked credentials with tools like Outpost24's Credential Checker.

🔒 Nikkei disclosed that unauthorized actors used malware to infect an employee’s computer, obtain Slack credentials, and access accounts on the company's Slack workspace. The firm reports that data for possibly more than 17,000 employees and business partners — including names, email addresses and chat logs — may have been stolen. Nikkei discovered the incident in September and implemented password resets and other remediation measures. The company said there's no confirmation that sources or journalistic activities were affected.

🔒 A growing scam exploits WhatsApp’s screen-sharing feature to trick users into exposing verification codes, passwords and banking details during video calls. Attackers pose as banks, service providers or contacts, create urgency, then request screen sharing or the installation of remote-access apps like AnyDesk or TeamViewer. Once granted, they capture OTPs, install malware or coerce transfers, enabling account takeover and financial theft. Stay skeptical: never share screens, passwords or verification codes with strangers.

⚠️ WordPress sites using Post SMTP (≤3.6.0) are under active attack after disclosure of CVE-2025-11833, a critical (9.8) email log disclosure that lets unauthenticated actors read password-reset messages and hijack administrator accounts. A vendor patch, Post SMTP 3.6.1, was released Oct 29, but roughly 210,000 sites remain unpatched. Wordfence observed exploitation beginning Nov 1 and has blocked over 4,500 attempts; site owners should update or disable the plugin immediately.

🔒 Microsoft warns of an emerging scam targeting online payroll systems, in which attackers use social engineering to steal employee and administrator credentials. Those credentials are abused to reroute direct deposits into attacker-controlled accounts, and fraudsters may take extra steps such as changing contact details or suppressing notifications to delay detection. The advisory highlights how moving payroll online creates new avenues for account takeover and financial fraud, and urges employers and vendors to strengthen authentication, monitoring, and verification processes.

🔒 Threat actors are actively exploiting a critical authentication bypass in the JobMonster WordPress theme (CVE-2025-5397) that can lead to administrator account takeover under specific conditions. The flaw affects all versions up to 4.8.1 and is caused by the theme's check_login() function trusting external social login data without proper verification. To succeed, attackers typically need social login enabled and knowledge of an admin username or email. The issue is fixed in 4.8.2; immediate mitigations include upgrading, disabling social login, enabling two‑factor authentication, rotating credentials, and reviewing access logs.

⚠️ A new 2025 Consumer Impact Report from the Identity Theft Resource Center (ITRC) finds identity fraud is driving severe mental and financial harm, with one quarter of surveyed consumers saying they seriously considered self-harm after an incident. The figure rises to 68% among self-identified victims but falls to 14% for those who contacted the ITRC, underscoring the value of professional support. The study of 1,033 general consumers also highlights rising repeat victimisation, large monetary losses — including more than 20% losing over $100,000 and 10% losing at least $1m — social media account takeovers as the most common crime, and widespread concern that AI will be a major battleground for identity security.

🔍 Organizations are facing a growing threat from applicants who pose as legitimate job seekers but are in fact operatives tied to overseas actor networks. Recent cases — including a July 2024 incident at KnowBe4 and longer running campaigns tracked as WageMole and DeceptiveDevelopment — show perpetrators use stolen identities, deepfakes and remote infrastructure to gain employment. The article outlines practical detection cues for recruitment teams and containment steps to limit insider risk.

⚠️ Researchers disclosed a CSRF-based vulnerability in ChatGPT Atlas that can inject malicious instructions into the assistant's persistent memory, potentially enabling arbitrary code execution, account takeover, or malware deployment. LayerX warns that corrupted memories persist across devices and sessions until manually deleted and that Atlas' anti-phishing defenses lag mainstream browsers. The flaw converts a convenience feature into a persistent attack vector that can be invoked during normal prompts.

🔒 Europol, together with police in Estonia, Finland, Latvia and Austria, dismantled a cybercrime-as-a-service network during coordinated raids on October 10. Seven suspects were arrested and authorities seized five servers, some 40,000 active SIM cards, luxury vehicles, bank accounts and crypto wallets. Investigators say the operation created roughly 49 million fake accounts across about 80 countries and used those identities to swindle millions of euros.

🔎 GTIG describes a targeted campaign by a Vietnam-based cluster tracked as UNC6229 that uses fake job postings on legitimate platforms to socially engineer remote digital advertising workers. Victims are enticed to open password-protected attachments or visit convincing phishing portals that harvest corporate credentials and can bypass MFA. The actors abuse reputable CRM and SaaS services to increase trust, deliver remote access trojans, and ultimately take over high-value advertising and social media accounts for sale or resale.

🔒Researchers detail a threat cluster called Jingle Thief that leverages phishing and smishing to harvest credentials and compromise cloud environments of retailers and consumer services to issue unauthorized gift cards. Palo Alto Networks Unit 42 links the activity to financially motivated actors and notes coordinated campaigns in April-May 2025. The attackers favor identity misuse over malware, persistently mapping tenants, abusing Microsoft 365 services, and minimizing logs to sustain large-scale fraud.

⚠️ Sansec warns that threat actors have begun exploiting CVE-2025-54236 (SessionReaper) in Adobe Commerce and Magento Open Source, with over 250 attack attempts recorded in 24 hours. The critical (CVSS 9.1) improper input validation flaw can enable customer account takeover via the Commerce REST API, and Adobe released a patch last month. Sansec cautions that 62% of Magento stores remain unpatched six weeks after disclosure, and observed activity includes dropping PHP webshells via '/customer/address_file/upload' and probing phpinfo from several attacker IPs.

⚠️ Sansec reports active exploitation of the critical SessionReaper vulnerability (CVE-2025-54236) affecting Adobe Commerce. The flaw enables account session takeover through the Commerce REST API; observed attacks delivered PHP webshells and phpinfo probes. Researchers report about 62% of stores remain unpatched six weeks after Adobe's emergency update. Administrators should apply Adobe's patch or recommended mitigations immediately.

🔒 In a coordinated operation, eight suspects attempted to hijack unemployment payments by accessing roughly 20,000 accounts of the Federal Employment Agency (BA) between late January and mid‑March. Investigators report about 1,000 accounts were accessed and bank details altered in 150 cases; early intervention limited losses to under €1,000. Searches across several states recovered devices, cash, weapons and narcotics, and two suspects are currently detained.

🛡️ Researchers report that threat actors have compromised more than a hundred SonicWall SSLVPN accounts in a large-scale campaign that began on October 4 and persisted through at least October 10. The attackers appear to be using valid, stolen credentials rather than brute-force methods, and many malicious requests originated from IP 202.155.8[.]73. After authenticating, actors conducted reconnaissance and attempted lateral movement to access numerous local Windows accounts; investigators recommend immediate secret rotation, strict access restrictions, and multi-factor authentication for all admin and remote accounts.

🔒 Microsoft warns that a financially motivated group tracked as Storm-2657 is hijacking employee accounts to redirect payroll by altering profiles in third-party HR SaaS platforms such as Workday. Attacks rely on AitM phishing, MFA gaps and SSO abuse rather than software vulnerabilities. Observed tactics include creating inbox rules to delete warning notifications and enrolling attacker-controlled phone numbers for persistent access. Microsoft reported compromises at multiple U.S. universities and recommends phishing-resistant, passwordless MFA such as FIDO2 keys, and reviews of MFA devices and mailbox rules to detect takeover.