All news with #account takeover tag

Cloud CISO Perspectives: Fighting Cyber-Enabled Fraud

🔒 David Stone and Marina Kaganovich from Google Cloud’s Office of the CISO warn that cyber-enabled fraud (CEF) is scaling rapidly and presents severe financial and reputational risk. The post cites FBI data — $13.7 billion in losses in 2024 — and highlights common tactics such as phishing, ransomware, account takeover, and business email compromise. It urges CISOs and boards to shift from siloed defenses to a proactive, enterprise-wide posture using frameworks like FS-ISAC’s Cyber Fraud Prevention Framework and Google Cloud detection and protection capabilities.

Fake IT Support Phishing Targets Microsoft Teams Users

🔒 Researchers at Permiso have uncovered phishing campaigns that abuse Microsoft Teams by impersonating IT support to trick employees into installing remote access tools like QuickAssist and AnyDesk. Attackers gain full control of compromised endpoints, deploy credential-stealing malware and establish persistence. Campaigns are linked to the financially motivated actor EncryptHub and use simple impersonation tactics that bypass email defences. Security teams should monitor unusual external Teams activity and verify unexpected support requests.

Password Manager Auto-Fill Flaw, Quantum Risks, Devices

🔒 In this edition of the Smashing Security podcast Graham Cluley and guest Thom Langford examine how some password managers can be tricked into auto-filling secrets into cookie banners via a clickjacking sleight-of-hand. They discuss practical defenses for website owners and hardening steps for users to protect their personal vaults. The episode also covers post-quantum concerns—"harvest-now, decrypt-later"—Microsoft’s 2033 quantum-safe commitment, and device update risks including printers, plus lighter segments like a dodgy URL "shadyfier" and repurposing an iMac G4 as a media hub.

Retail and Hospitality Data Heists: Digital Extortion Trends

🔒Unit 42 describes how financially motivated actors blend reconnaissance and social engineering to target high-end retailers and other sectors, stealing customer data for extortion. Attackers commonly use voice-based phishing and impersonation to harvest credentials or trick users into running a modified Data Loader for Salesforce, then search SharePoint, Microsoft 365 and Salesforce for PII. Because intrusions often avoid malware, forensic artifacts are minimal, complicating detection and response.

Alleged Mastermind Behind K-Pop Stock Heist Extradited

🔒 South Korean authorities have extradited a 34-year-old suspect from Thailand, accused of masterminding a coordinated campaign that siphoned millions in stocks from celebrities, including Jung Kook. Investigators say the group stole personal data from Korean telecom firms, used it to assume victims' identities and opened brokerage accounts between August 2023 and January 2024. With assistance from Interpol and Thai authorities, officials tracked and arrested the suspect, who has admitted some allegations while denying others.

HOOK Android Trojan Adds Ransomware Overlays, Expands

🔒 Cybersecurity researchers at Zimperium zLabs have identified a new HOOK Android banking trojan variant that deploys full-screen ransomware-style overlays to extort victims. The overlay is remotely triggered via the command "ransome" and displays a warning, wallet address and amount, and can be dismissed by the attacker with "delete_ransome". An offshoot of ERMAC, the latest HOOK builds on banking malware techniques and now supports 107 remote commands, introducing transparent gesture-capture overlays, fake NFC and payment screens, and deceptive unlock prompts to harvest credentials and crypto recovery phrases.

Major Corporation Uses '123456' for Critical Access

🔒 McDonald's reportedly configured a major corporate system with the password 123456, illustrating a glaring failure in basic security hygiene. That weak credential makes systems trivially susceptible to brute-force and credential-stuffing attacks and indicates lax oversight of password policies, privileged accounts, and access controls. Immediate remediation should include forcing password rotation, deploying multi-factor authentication, implementing centralized secrets management, and auditing privileged access.

Transparent Tribe Targets Indian Govt with Shortcut Malware

🔒 Transparent Tribe (APT36) has been observed delivering weaponized desktop shortcut files to compromise both Windows and BOSS Linux systems at Indian government organizations. Reports from CYFIRMA, CloudSEK, Hunt.io, and Nextron Systems describe Go-based droppers, hex-encoded ELF payloads, and cron-based persistence. The campaign uses spear-phishing lures and typo-squatted domains with decoy PDFs to harvest credentials and target Kavach two-factor authentication, while deploying backdoors such as Poseidon and MeshAgent to maintain long-term access.

Weak Passwords Fuel Rise in Compromised Accounts in 2025

🔐 The Picus Blue Report 2025 finds that password cracking succeeded in 46% of tested environments, while Valid Accounts (T1078) exploitation achieved a 98% success rate. Many organizations still rely on weak passwords, outdated hashing, and lax internal controls, leaving credential stores exposed. The report urges adoption of widespread MFA, stronger password policies, routine credential-validation simulations, and improved behavioral detection to reduce undetected lateral movement and data theft.

Scattered Spider Member Sentenced to 10 Years in US

🔒 Noah Michael Urban, a 20-year-old member of the Scattered Spider cybercrime gang, was sentenced to 120 months in federal prison after pleading guilty to wire fraud and aggravated identity theft in April 2025. The court also ordered $13 million in restitution and three years of supervised release; Urban called the sentence unjust. Prosecutors say Urban and co-conspirators used SIM swapping and social engineering between August 2022 and March 2023 to steal at least $800,000 and hijack cryptocurrency accounts. His case is part of broader DoJ actions against Scattered Spider as the group forges alliances with other criminal collectives.

SIM-Swapper Scattered Spider Hacker Sentenced 10 Years

🔒 A 20-year-old Florida man, Noah Michael Urban, was sentenced to 10 years in federal prison and ordered to pay about $13 million in restitution after pleading guilty to wire fraud and conspiracy. Prosecutors say Urban acted with members of Scattered Spider, using SIM-swapping and SMS phishing to divert calls and one-time codes and to phish employees into fake Okta pages. The campaign compromised access at more than 130 firms and enabled thefts of proprietary data and millions in cryptocurrency.

Helping Child Bloggers: Practical Safety Guidance for Parents

📸 Parents should engage when children show interest in blogging, using open discussion to build trust and teach online safety. The article recommends creating accounts together, reviewing privacy settings, disabling geolocation, choosing strong unique passwords, and enabling two-factor authentication to reduce account-takeover risk. It also outlines what not to post, how to monitor usernames, and how to spot scams, doxing, and stalker behavior.

Mobile Phishers Target Brokerage Accounts in Ramp-and-Dump

📈 Cybercriminals selling advanced mobile phishing kits have shifted from converting stolen cards into mobile wallets to hijacking brokerage accounts for a coordinated ramp and dump scheme that inflates and then collapses foreign and penny stock prices. Vendors such as Outsider (aka Chenlun) offer templates that spoof brokers via iMessage and RCS to harvest logins and SMS one-time codes. Operators use banks of phones and human handlers to preposition, trade, and liquidate positions, leaving victims with worthless shares while brokers and regulators contend with the fallout.

Muddled Libra Strike Teams: Collaborative Cybercrime

🧩 Muddled Libra is not a single organized group but a fluid collaboration of personas that form distinct strike teams with varying objectives and tradecraft. Unit 42 has identified patterns across at least seven teams, from crypto theft and extortion to IP theft and mass data harvesting. Defenders should prioritize protecting high-value data, tighten access controls, and assume evolving tactics rather than a fixed adversary profile.

How Young People Can Level Up Their Cybersecurity Practices

🔒 Digital natives often spend more time online and maintain large numbers of accounts, which increases exposure to scams, phishing and account takeovers. Research shows Gen Z is less likely to use unique passwords, enable MFA, or install updates regularly, and some admit sharing sensitive data with AI or bypassing corporate security tools. Simple, practical steps — stick to official app stores, keep software updated, deploy trusted security software, review privacy settings and treat unsolicited offers with skepticism — can significantly reduce risk.

ISP Exposes Administrative Credentials via S3 Misconfig

🔓On October 11, 2018 UpGuard discovered that an Amazon S3 bucket named "pinapp2" exposed 73 GB of data belonging to Pocket iNet. The downloadable "tech" folder contained plaintext administrative passwords, AWS secret keys, network configuration files, inventory lists, and photographs of hardware and towers. Pocket iNet was notified the same day and secured the exposure on October 19, 2018. The incident highlights how misconfigured S3 ACLs and poor credential hygiene can place critical infrastructure at risk.

Maryland JIA NAS Misconfiguration Exposes PII, Credentials

🔒 The UpGuard Cyber Risk Team discovered a publicly exposed, misconfigured NAS belonging to the Maryland Joint Insurance Association (JIA) that contained backup customer and operational files. The repository included full Social Security numbers, bank account and check images, insurance policy data, and plaintext administrative credentials including remote access and third-party ISO ClaimSearch logins. UpGuard notified JIA on discovery; the exposure was secured and is no longer active.

Phishers Target Aviation Executives, Steal Customer Funds

📧 A targeted phishing campaign compromised an aviation executive’s Microsoft 365 credentials, allowing attackers to mine past invoice conversations and send convincing fake invoice requests to customers. Within hours the fraudsters registered a near‑identical domain and at least one customer paid a six‑figure phony invoice. Investigation links the registration details to a long‑running Nigerian BEC ring identified as SilverTerrier; firms are urged to combine employee training, domain monitoring and rapid use of the Financial Fraud Kill Chain to improve recovery chances.

Google survey: U.S. consumers report rising online scams

🔒 Google’s latest survey with Morning Consult shows U.S. consumers increasingly aware of online scams and taking new protective steps. Over 60% report an uptick in scams and one-third say they experienced a data breach, with texts and email the most common vectors. The report highlights generational differences in sign-in preferences — older adults rely on passwords while Gen Z favors passkeys and social sign-ins — and recommends Google Password Manager, 2‑Step Verification and modern authentication methods.

Android security and privacy updates in 2025 — protections

🔒 Google outlines a suite of Android security and privacy enhancements for 2025, focused on countering scams, fraud, and device theft. New in-call protections block risky actions during calls with unknown contacts, and a UK pilot will extend screen-sharing warnings to participating banking apps. AI-powered Scam Detection in Google Messages has been expanded and runs on-device to preserve privacy, while a new Key Verifier enables public-key verification for end-to-end encrypted messages. Additional theft protections, Advanced Protection device settings, and updates to Google Play Protect round out the release.