All news with #credential access tag

⚠️ Abnormal researchers have identified Starkiller, a commercial-grade phishing kit that proxies live login pages to harvest credentials and session tokens. Unlike static HTML clones, Starkiller runs a headless Chrome proxy that serves genuine page content and forwards one-time codes in real time, enabling MFA bypass. Distributed as a subscription on the dark web with updates and Telegram support, it includes real-time session monitoring, a keylogger and deceptive URLs mimicking major providers. Organizations should monitor anomalous login patterns and session token reuse to reduce risk.

🛡️ ThreatFabric has disclosed Massiv, a new Android trojan that impersonates IPTV apps to deliver device takeover (DTO) attacks aimed at financial theft. Distributed via SMS phishing droppers, Massiv abuses Android accessibility and MediaProjection APIs to stream screens, capture keystrokes and SMS, and deploy fake overlays that harvest banking credentials and KYC data. Operators have used stolen information to open accounts, launder money and remotely control infected devices while concealing malicious activity behind black-screen overlays.

🔔 Attackers are abusing Google Tasks notifications to bypass email filters and trick employees into submitting corporate credentials. Recipients receive legitimate-looking @google.com notices urging urgent action and a link to a credential-harvesting form. Organizations should train staff, maintain clear lists of authorized services, and consider mail gateway security and endpoint protection to block phishing sites. Use tools like Kaspersky Automated Security Awareness Platform to automate training.

🔒 SOCRadar has uncovered a phishing campaign named Operation DoppelBrand that targeted Fortune 500 financial, insurance and technology firms between December 2025 and January 2026. The activity is attributed to financially motivated actor GS7 and relies on lookalike domains and cloned login portals to harvest credentials, which are forwarded to Telegram bots. Successful compromises often result in the deployment of legitimate remote access tools such as LogMeIn Resolve, delivered via MSI installers and supported by VBS loaders for privilege escalation and silent installation.

🔍 DPRK-linked IT operatives are escalating a long-running fraud by applying to remote positions using genuine LinkedIn profiles they impersonate, often including verified workplace emails and identity badges. Security Alliance and other researchers warn this helps attackers bypass basic vetting and gain administrative access to sensitive codebases. Parallel social engineering

🔍 The Picus Red Report 2026 analyzed more than 1.1 million malicious files and 15.5 million adversarial actions across 2025 and finds attackers shifting from disruptive ransomware to long-lived, stealthy residency. Rather than encrypting systems, adversaries focus on credential theft, process injection, sandbox evasion and quiet data exfiltration. The report urges defenders to prioritize behavior-based detection, credential hygiene and continuous adversarial validation to restore visibility.

🔐 ZeroDayRAT is a commercial mobile spyware being sold on Telegram that grants attackers comprehensive remote control over Android (5–16) and iOS (up to 26) devices. The toolkit provides a management panel displaying device metadata and supports data theft, live audio/video capture, location tracking, SMS interception for OTPs, keylogging, and modules targeting cryptocurrency wallets and banking apps. iVerify warns it can enable enterprise breaches if employee devices are compromised and advises installing apps only from official stores and enabling protections such as Lockdown Mode on iOS and Advanced Protection on Android.

🔐 Software developers are increasingly targeted by attackers exploiting their tools, credentials, and trusted channels rather than traditional application bugs. Threats include malicious IDE extensions, tainted open-source packages, CI/CD pipeline abuse, credential theft, social engineering, and AI-driven manipulation. Because developers hold tokens, API keys, cloud credentials, and long-lived secrets, compromises can grant broad access to source code and infrastructure. CISOs must combine technical controls, least-privilege practices, supply-chain defenses, and ongoing developer training to reduce systemic risk.

🔐 The Eye Security 2026 State of Incident Response Report finds that cyberattacks on companies are increasingly undetected and that attackers are shifting from technical exploitation to abusing existing access and credentials, with damage often occurring within minutes. The study reports passwords were involved in 97% of tracked incidents and that BEC accounted for over 70% of cases, with phishing initiating 40% of those intrusions. It also highlights the rise of Ransomware-as-a-Service, access broker marketplaces, and the commercialization of insider access, identifying industrial, construction, and transport firms as particularly affected based on 630 European incidents analyzed from 2023–2025.

🔒Forcepoint X-Labs has warned of a multi-stage phishing campaign that uses short, business-themed emails and PDF attachments to harvest corporate Dropbox credentials. The PDFs contain embedded AcroForm links that limit scanning by security tools and redirect victims to a legitimate cloud-hosted portal serving a spoofed login page. By leveraging reputable cloud infrastructure, the attackers reduce suspicion and bypass many automated reputation checks. Submitted credentials are exfiltrated to a Telegram channel, enabling account takeover and follow-on abuse.

📄 Forcepoint researchers describe a multi-stage phishing campaign that uses attached PDFs to redirect victims through cloud-hosted content to a fake Dropbox sign-in page. Attackers exploit spoofed or compromised senders and trusted services to bypass filters and authentication checks like SPF, DKIM, and DMARC. If credentials are entered they’re exfiltrated to attacker-controlled infrastructure for account takeover and fraud. The campaign succeeds because each step appears legitimate in isolation, exploiting habitual trust in PDFs and mainstream cloud services.

🔐 Mandiant is tracking a notable expansion of ShinyHunters-branded extortion campaigns that use evolved vishing and victim-branded credential harvesting to compromise SSO credentials and enroll unauthorized devices into corporate MFA. These intrusions exploit social engineering — not product vulnerabilities — to pivot into cloud SaaS environments and perform bulk exports and administrative abuse. The post provides prioritized containment, hardening, logging, and detection guidance, and urges adoption of phishing-resistant MFA such as FIDO2 security keys and passkeys.

🔎 Mandiant and Google GTIG observed an expansion of ShinyHunters-style campaigns using sophisticated vishing and victim-branded credential harvesting sites to steal SSO credentials and MFA codes. Compromised accounts were used to access a broadening set of cloud SaaS applications to locate confidential documents and PII for extortion. Activity attributed to clusters UNC6661, UNC6671, and UNC6240 includes harassment, DDoS, and Limewire-hosted proof samples. Organizations should adopt phishing-resistant MFA such as FIDO2 or passkeys and follow published hardening and detection guidance.

📞 Notorious extortion group ShinyHunters released tens of gigabytes of files it claims were stolen from dating services including Hinge, Match, OkCupid and Bumble. Researchers link the disclosures to a broader campaign that combines automated phishing kits with voice-based social engineering to capture credentials and MFA tokens in real time. Security firm Silent Push detected a 'Live Phishing Panel' and infrastructure consistent with SLSH activity targeting more than 100 high-value organizations. Organizations are advised to verify IT support calls through official out-of-band channels and audit OSS logs for suspicious device enrollments and new-IP logins.

🔐 The State of Incident Response Report 2026 from Eye Security finds cybercriminals increasingly exploiting legitimate credentials rather than breaking systems. Identity-based attacks now dominate, with 97% of incidents involving passwords and Business Email Compromise making up over 70% of cases. Ransomware remains a major threat as RaaS and access-broker marketplaces lower barriers. Analysis of 630 European incidents (2023–2025) shows many breaches begin with phishing, misconfigured internet-facing systems, or social engineering, and can go undetected for weeks.

🔐 Near-identical password reuse—small, predictable modifications to existing credentials—regularly bypasses standard complexity and password-history checks, creating a persistent attack vector even in well-managed environments. Attackers weaponize breached credential lists with automated transformations to infer updated passwords quickly. Users favor these tweaks because they are memorable and compliant on the surface. Implement continuous breach monitoring, similarity analysis, and centralized controls such as Specops Password Policy to detect and block overly similar replacements.

🏧 South Carolina prosecutors said two Venezuelan nationals pleaded guilty to conspiracy and computer crimes after using malware to force ATMs to dispense cash across the southeastern United States. They targeted older ATM models, installing a Ploutus variant by connecting laptops, using external drives, or swapping hard drives to trigger unauthorized withdrawals. Both defendants were sentenced, ordered to pay restitution, and face deportation following their terms.

🔒 Brand impersonation—fake websites, domains, emails, ads, and social pages—is an increasingly common tactic used to harvest credentials, steal payments, distribute malware, and defraud customers and partners. Attackers exploit lookalike domains, SEO and paid ads, and phishing messages to lure victims; even imperfect forgeries can inflict financial, operational, and reputational harm. Organisations should monitor clones, maintain a visible trust centre, pursue rapid takedowns, block malicious domains internally, and coordinate legal, IT, and communications teams for fast response.

⚠ Security researchers uncovered five malicious Chrome extensions that impersonate HR and ERP platforms, including Workday and NetSuite, to harvest authentication tokens and facilitate session takeovers. The add-ons exfiltrate cookies to attacker-controlled APIs, manipulate DOM content to block administrative pages, and can inject stolen cookies to hijack sessions. Most were removed from the Chrome Web Store but remain available on third-party download sites; affected users should remove the extensions, reset credentials, and audit for unauthorized access.

🔐 eSentire's 2025 Year in Review (published 15 Jan 2026) documents a 389% year‑over‑year surge in account compromises, which accounted for 55% of observed attacks. Credential access comprised 75% of malicious activity, with Microsoft 365 accounts heavily targeted and two‑thirds of compromises used for account takeovers. Phishing‑as‑a‑service (PhaaS) kits — including Tycoon2FA, FlowerStorm and EvilProxy — fueled many Business Email Compromise operations, while malware represented 25% of threats, down slightly from 2024.