All news with #account takeover tag

How Cybercriminals Bypass Logins Using Stolen Credentials

🔐 Cybercriminals increasingly target corporate credentials, authentication tokens and session cookies to bypass MFA and impersonate legitimate users. Stolen credentials accounted for a large share of recent breaches and estimates indicate billions of credentials were exposed in 2024. Organizations can reduce risk with Zero Trust, robust MFA, realistic training and continuous behavioral monitoring to detect suspicious sessions.

Patch SessionReaper: Critical Adobe Commerce/Magento Flaw

🔒 Adobe issued an emergency out-of-band patch for a critical vulnerability in Magento Open Source and Adobe Commerce, tracked as CVE-2025-54236 and dubbed SessionReaper. The flaw permits unauthenticated attackers to hijack user accounts and, when file-based session storage is used, can enable remote code execution. Adobe notified Commerce customers on Sept. 4 but Magento Open Source users may not have received the same advance warning. Organizations operating Magento sites should apply the patch immediately.

Social-Engineered Help Desk Breach Costs Clorox $380M

🔐 Attackers affiliated with the Scattered Spider group exploited weak vendor phone procedures to obtain repeated password and MFA resets from Cognizant’s service desk, then used the access to escalate to domain-admin footholds at Clorox. Clorox says the intrusion caused roughly $380 million in damages, including remediation and extended business-interruption losses. The case highlights failure to follow agreed verification processes and the amplified risk of outsourced help desks. Organizations should enforce out-of-band caller verification, immutable reset logs, and automated containment to reduce the attacker window.

Salty2FA Phishing Kit Targets US and EU Enterprises

⚠️ Researchers at ANY.RUN have uncovered Salty2FA, a new phishing-as-a-service kit engineered to harvest credentials and bypass multiple two-factor authentication methods. First observed gaining momentum in mid-2025, the kit uses multi-stage redirects, Cloudflare checks and evasive hosting to slip past automated filters. Salty2FA intercepts push, SMS and voice codes, enabling account takeover across finance, energy and telecom sectors.

Threat Actor Reveals Tradecraft After Installing Agent

🔎Huntress analysts discovered a threat actor inadvertently exposing their workflows after installing the vendor's security agent on their own machine. The agent logged three months of activity, revealing heavy use of AI text and spreadsheet generators, automation platforms like Make.com, proxy services and Telegram Bot APIs to streamline operations. Investigators linked the infrastructure to thousands of compromised identities while many attempts were blocked by existing detections.

Salty2FA Phishing Kit Employs Sophisticated Evasion Tools

⚠️ Researchers have exposed a Salty2FA phishing kit that applies enterprise-grade tactics to harvest credentials and bypass detection. The campaign uses session-based subdomain rotation, abuse of legitimate platforms for staging, and corporate-branded login replicas to increase believability. Operators integrate Cloudflare Turnstile and obfuscated, XOR-encrypted JavaScript to block automated analysis and frustrate forensic inspection. Targets include healthcare, finance, technology, energy and automotive sectors, underscoring the need for updated defenses beyond traditional indicators.

Hackers Briefly Compromise Two ARTE YouTube Channels

⚠️ Unknown actors briefly gained control of two YouTube channels belonging to the German-French cultural broadcaster Arte, the broadcaster said. The intrusion affected the main channel and Arte Concert, temporarily replacing documentaries and concert programming with cryptocurrency videos and clips referencing Donald Trump and Elon Musk. Arte said the unauthorized access was blocked and a comprehensive analysis of causes and scope is under way; Medieninsider first reported the incident.

18 Popular JavaScript Packages Hijacked to Steal Crypto

🔐 Akido researchers found that at least 18 widely used JavaScript packages on NPM were briefly modified after a maintainer was phished, impacting libraries downloaded collectively more than two billion times weekly. The injected code acted as a stealthy browser interceptor, capturing and rewriting cryptocurrency wallet interactions and payment destinations to attacker-controlled accounts. The changes were rapidly removed, but experts warn the same vector could deliver far more disruptive supply-chain malware if not addressed. Security specialists urge mandatory phish-resistant 2FA and stronger commit attestation for high-impact packages.

Remote Access Abuse Signals Major Pre-Ransomware Risk

🔒 Cisco Talos finds abuses of remote access software and services are the most common pre-ransomware indicator, with threat actors leveraging legitimate tools such as RDP, PsExec, PowerShell and remote-support apps like AnyDesk and Microsoft Quick Assist. The report highlights credential dumping (for example, Mimikatz) and network discovery as other frequent TTPs. It recommends rapid response, MFA, application allowlisting and enhanced endpoint monitoring to limit ransomware execution.

Principal Financial Adopts Biometrics to Stop Account Fraud

🔐 Principal Financial replaced brittle knowledge-based authentication with a digital ID verification and biometric platform to block account takeovers. Using DIVA with a focus on facial recognition and an implementation by Onfido (an Entrust company), the insurer completed rollout within months. The change has virtually eliminated fraudulent registrations and improved user success and completion rates while preserving usability.

FBI: Seniors Targeted by Three-Phase Phantom Scams

⚠️ The FBI and its Internet Crime Complaint Center (IC3) warn that seniors are being targeted by a three‑phase “Phantom Hacker” scam that combines tech‑support, financial‑institution, and U.S. government impersonations to extract life savings. Scammers typically gain trust by convincing victims to grant remote access, then prompt transfers via wire, cash, or cryptocurrency to purportedly secure accounts. The IC3 reports substantial losses—an average of US $83,000 per victim—and urges people not to allow remote access, download unsolicited software, or transfer funds at the request of unknown callers.

Brazilian FinTech Sinqia Discloses $130M Pix Heist Attempt

🔒 Sinqia disclosed an attempted theft of approximately R$710 million (about $130m) from two banking customers processed through its Pix transaction environment on 29 August 2025. The company says attackers leveraged compromised credentials from an IT vendor, halted Pix processing, and engaged forensic teams while cooperating with regulators. A portion of the funds has been recovered and investigations, including law enforcement coordination, are ongoing.

A CISO’s Guide to Monitoring the Dark Web Effectively

🔍 Dark web monitoring gives CISOs timely, actionable intelligence that can reveal breaches, stolen credentials, and early indicators of ransomware campaigns. Continuous visibility into forums, marketplaces, and leak sites helps detect initial access brokers, stealer logs, and items like RDP/VPN access being sold, enabling rapid containment and credential revocation. Use platforms such as SpyCloud and DarkOwl, subscribe to threat feeds and ISACs, and augment with deception (honeypots, canary tokens) while integrating findings into SIEM/XDR and incident response playbooks.

Google Refutes Claims of Mass Gmail Password Alert

🔔 Google has disputed reports that it issued a blanket warning asking 2.5 billion Gmail users to reset passwords following a recent breach that allegedly affected some Workspace accounts. In a Monday blog post the company called those headlines false and emphasized that Gmail's protections block over 99.9% of phishing and malware. Google advised users to enable two-step verification and adopt passkeys, and it criticized the spread of unverified claims by media and security vendors.

Ukrainian AS FDN3 Linked to Massive Brute-Force Attacks

🔒 Intrinsec reports that Ukraine-based autonomous system FDN3 (AS211736) conducted widespread brute-force and password-spraying campaigns targeting SSL VPN and RDP endpoints between June and July 2025, with activity peaking July 6–8. The firm links FDN3 to two other Ukrainian ASes (AS61432, AS210950) and a Seychelles operator (AS210848) that frequently exchange IPv4 prefixes to evade blocklisting. Intrinsec highlights ties to bulletproof hosting providers and a Russian-associated Alex Host LLC, stressing that offshore peering arrangements complicate attribution and takedown efforts.

Amazon Disrupts APT29 Campaign Targeting Microsoft 365

🔒 Amazon disrupted an operation attributed to the Russian state-sponsored group APT29 that used watering-hole compromises to target Microsoft 365 accounts. The attackers injected obfuscated JavaScript into legitimate sites to redirect roughly 10% of visitors to fake Cloudflare verification pages and then into a malicious Microsoft device code authentication flow. Amazon isolated attacker EC2 instances and worked with Cloudflare and Microsoft to take down identified domains; the campaign did not affect Amazon's infrastructure.

When Browsers Become the Attack Surface: Rethinking Security

🔒 As enterprises shift more critical work to the browser, adversary Scattered Spider (UNC3944) targets live browser data—saved credentials, calendars, and session tokens—to achieve account takeover and persistent access. The article highlights techniques like Browser-in-the-Browser overlays, JavaScript injection, malicious extensions, and token theft that evade conventional EDR. It recommends elevating browser-native controls: runtime JavaScript protection, session-token binding, extension governance, API restrictions, and integrated browser telemetry so CISOs treat browser security as a primary defense layer.

Suspected Hacker Arrested for Tampering School Grades

🔒 Spanish police arrested a 21-year-old suspect in Seville accused of accessing the Andalusian Education Ministry's systems to alter high school and university entrance exam grades for himself and several classmates. Authorities say at least 13 university professors' work accounts across Almería, Cádiz, Córdoba, Seville and Jaén were compromised and emails accessed. Seized computer equipment and a notebook listing manipulated grades were recovered during the search, and regional security for the Séneca platform has been tightened.

WordPress Plugin and Theme Vulnerabilities Surge in 2025

⚠️ Recent investigations show a wave of active attacks against WordPress plugins and themes, including Gravity Forms, the Alone and Motors themes, and Post SMTP. Exploits have enabled remote code execution, administrator account takeover, and mass site compromise, while the Efimer trojan has been distributed from some infected sites. Vendors have issued patches, but many sites remain unpatched—site owners should update immediately and follow hardening best practices.

Feds Seize VerifTools Marketplace Selling Fake IDs

🚨 U.S. and Dutch authorities dismantled VerifTools, an illicit marketplace that produced and sold counterfeit driver's licenses, passports, and other identity documents used to bypass verification systems and facilitate fraud. Two domains and a blog were seized and redirected to an FBI splash page after servers in Amsterdam were confiscated. The FBI linked roughly $6.4 million in illicit proceeds to the service, which offered forged documents for as little as $9. Operators have since signaled a relaunch on a new domain.