All news with #credential access tag

🏧 South Carolina prosecutors said two Venezuelan nationals pleaded guilty to conspiracy and computer crimes after using malware to force ATMs to dispense cash across the southeastern United States. They targeted older ATM models, installing a Ploutus variant by connecting laptops, using external drives, or swapping hard drives to trigger unauthorized withdrawals. Both defendants were sentenced, ordered to pay restitution, and face deportation following their terms.

🔒 Brand impersonation—fake websites, domains, emails, ads, and social pages—is an increasingly common tactic used to harvest credentials, steal payments, distribute malware, and defraud customers and partners. Attackers exploit lookalike domains, SEO and paid ads, and phishing messages to lure victims; even imperfect forgeries can inflict financial, operational, and reputational harm. Organisations should monitor clones, maintain a visible trust centre, pursue rapid takedowns, block malicious domains internally, and coordinate legal, IT, and communications teams for fast response.

⚠ Security researchers uncovered five malicious Chrome extensions that impersonate HR and ERP platforms, including Workday and NetSuite, to harvest authentication tokens and facilitate session takeovers. The add-ons exfiltrate cookies to attacker-controlled APIs, manipulate DOM content to block administrative pages, and can inject stolen cookies to hijack sessions. Most were removed from the Chrome Web Store but remain available on third-party download sites; affected users should remove the extensions, reset credentials, and audit for unauthorized access.

🔐 eSentire's 2025 Year in Review (published 15 Jan 2026) documents a 389% year‑over‑year surge in account compromises, which accounted for 55% of observed attacks. Credential access comprised 75% of malicious activity, with Microsoft 365 accounts heavily targeted and two‑thirds of compromises used for account takeovers. Phishing‑as‑a‑service (PhaaS) kits — including Tycoon2FA, FlowerStorm and EvilProxy — fueled many Business Email Compromise operations, while malware represented 25% of threats, down slightly from 2024.

🔍 Cisco Talos is tracking UAT-8837, an assessed China-nexus APT that since 2025 has focused on obtaining initial access to high-value and critical infrastructure organizations in North America. The actor uses both n-day and zero-day exploits (including CVE-2025-53690 in SiteCore) and often deploys open-source tooling—Earthworm, SharpHound, DWAgent, Certipy, and GoTokenTheft—to harvest credentials, enumerate Active Directory, and create remote tunnels. Operators perform hands-on-keyboard reconnaissance, create backdoored accounts and remote admin access, and cycle tools when endpoint protections block their payloads. Talos provides IOCs, Snort rules, and ClamAV signatures to detect and mitigate this activity.

🔒 If you learn your personal or financial data is on the dark web, act quickly: cybercriminals use stolen PII, credentials, session cookies and payment details to commit account takeover, identity theft and fraud. Immediately change compromised passwords, enable MFA (prefer authenticator apps or hardware keys), sign out of all devices, scan for infostealer malware and contact your bank to freeze or reissue cards. For longer-term protection, freeze credit, tighten privacy settings, use email aliasing and a password manager, and enroll in monitoring services such as HaveIBeenPwned.

🔐 Over the past six months, threat actors have increasingly used the Browser-in-the-Browser (BitB) technique to harvest Facebook credentials, according to Trellix. Attacks display realistic fake login pop-ups implemented with iframes and often leverage URL shorteners and reputable cloud hosts like Netlify and Vercel to evade detection. Campaigns impersonate law firms, copyright notices, and Meta security alerts, adding counterfeit CAPTCHA pages to increase legitimacy. To reduce risk, avoid embedded links, enable two-factor authentication, and verify whether login windows can be dragged outside the browser to detect BitB.

🕵️ Security researchers at Check Point discovered in October 2025 an AI-assisted investment fraud that traps victims in a personalized "Truman Show"-style reality. Targets are lured via SMS, Google Ads and messaging apps into AI-driven WhatsApp groups where faux experts and synthetic members stage daily "wins" to erode skepticism. Victims are then funneled to a branded fake trading app (e.g., OPCOPRO) and persuaded to transfer crypto while attackers harvest KYC data for identity theft and resale. The campaign creates clear enterprise risks including SIM swaps, credential theft and potential insider coercion.

🎧 In episode 449 of the Smashing Security podcast, Graham Cluley examines an actual romance-fraud handbook that includes scripts, personality “types,” corporate jargon and a seven-day plan to convince victims to hand over cryptocurrency. Guest Lesley Carhart delivers a stark reality check on the shrinking entry-level cybersecurity job market and the hazards of automated CV screening. The show also features ThreatLocker CEO Danny Jenkins discussing how misconfigurations drive breaches and how default-deny approaches work in practice.

🔐 Generative AI is accelerating password attacks against Active Directory, making cracking cheaper, faster, and more targeted than traditional techniques. Models like PassGAN learn real-world password patterns and can predict employee passwords when trained on breach data or public company content. Combined with readily available GPU cloud rentals, attackers can test vastly more candidates and tailor guesses using org-specific reconnaissance. Vendors such as Specops recommend longer, random passphrases and breached-password screening to reduce exposure.

🔒 A former Coinbase customer service agent was arrested in Hyderabad, India, after allegedly accepting bribes from criminal gangs to access and sell sensitive customer records, Coinbase CEO Brian Armstrong announced. The incident, disclosed in May 2025, involved compromised support staff leaking data on nearly 70,000 customers, including IDs and financial details. Coinbase refused a US $20 million ransom and instead committed that sum to a reward fund while cooperating with law enforcement.

🔎 TRM Labs investigators say a 2022 data breach at LastPass enabled sustained thefts that drained millions in cryptocurrency from user wallets over several years. The firm traced approximately $28m stolen from 2024 to early 2025 and a further $7m in September 2025, with funds routed to Russian exchanges and money‑laundering services. Using proprietary demixing techniques, analysts were able to correlate CoinJoin‑mixed transactions to withdrawal clusters tied to Russia‑based infrastructure. The report underscores the long‑tail risk from exposed password vault backups and reiterates the need for MFA and prompt password changes.

🔐 An automated password-spraying campaign is targeting multiple VPN platforms, with credential-based attacks observed against Palo Alto Networks GlobalProtect portals and Cisco SSL VPN gateways. GreyNoise recorded login attempts peaking at 1.7 million over 16 hours from more than 10,000 unique IPs, largely originating from the 3xK GmbH hosting space. The actor reused common username/password combinations and used an unusual Firefox user agent, indicating scripted credential probing rather than exploitation. Administrators are advised to enforce strong passwords, enable MFA, audit appliances, and block known malicious IPs.

🛡️ Kaspersky researchers uncovered a new Windows infostealer named Stealka in November 2025 that steals browser data, extension files and application settings to enable account takeover, cryptocurrency theft and deployment of a cryptominer. The malware is most often distributed as game cracks, cheats and pirated software hosted on legitimate platforms; activation requires the victim to run the delivered file. Stealka specifically targets Chromium- and Gecko-based browsers and dozens of popular wallet, password manager and 2FA extensions. Users are advised to rely on reputable endpoint protection, avoid pirated software and keep secrets out of browser storage.

🔒 Recorded Future's Insikt Group observed APT28 conducting a sustained credential-phishing campaign targeting users of UKR.net between June 2024 and April 2025. The actor, tracked as APT28 or BlueDelta and assessed as affiliated with the GRU, used UKR.net-themed login pages hosted on legitimate services like Mocky and chained redirects from link shorteners and Blogger subdomains to capture passwords and 2FA codes. Phishing emails delivered PDFs that directed recipients to these pages, and the group has moved from abusing compromised routers to leveraging proxy tunneling services such as ngrok and Serveo.

🚨 Amazon detected a campaign on Nov 2, 2025 that used compromised IAM credentials to rapidly deploy cryptocurrency miners across ECS Fargate and EC2, with miners running within ten minutes of initial access. The adversary used DryRun-based discovery to validate permissions, created service-linked roles and dozens of ECS clusters, and registered a malicious DockerHub image to launch mining with the RandomVIREL algorithm. Attackers also set disableApiTermination=True on EC2 instances to hinder remediation; Amazon recommends enforcing MFA, least privilege, temporary credentials, container scanning, CloudTrail logging and enabling GuardDuty.

🔒Four newly documented phishing kits — BlackForce, GhostFrame, InboxPrime AI, and Spiderman — enable large-scale credential theft and advanced MFA bypass techniques. BlackForce (first seen August 2025) uses Man‑in‑the‑Browser (MitB) capabilities to capture OTPs and exfiltrate data to Telegram/C2 panels, while GhostFrame hides phishing pages inside iframes. InboxPrime AI automates high-quality mass mailings with generative assistance, and Spiderman offers full-stack banking replicas with ISP and geofence filtering. Researchers warn these kits lower the bar for attackers and recommend layered defenses including phishing-resistant MFA, strong email validation, anomaly detection, and user training.

🕷️Spiderman is a newly observed phishing kit that replicates banking and cryptocurrency login flows to capture credentials, 2FA codes, credit card details, and wallet seed phrases. Researchers at Varonis report it targets customers across five European countries and major brands including Deutsche Bank, ING, CaixaBank, PayPal, and crypto wallets such as Ledger and Metamask. The kit’s modular control panel lets operators filter victims by country or device, intercept PhotoTAN and OTP codes in real time, export harvested data with one click, and redirect non-targeted visitors.

📧Attackers impersonating file-sharing and e-signature platforms sent over 40,000 finance-themed phishing emails, researchers at Check Point report. These messages mimicked notifications from services like SharePoint and popular e-signing vendors to coax recipients into clicking links or entering credentials. The campaign targeted finance workflows and aimed to harvest credentials or deliver follow-on malware, underscoring the need for robust email security and user vigilance.

🔒Three Ukrainian nationals were arrested in Poland after police discovered a cache of devices alleged to be capable of interfering with strategic IT and telecommunications systems. Officers seized a Flipper Zero, a K19 RF/GS detector, antennas, laptops, numerous SIM cards, routers, portable drives, and cameras. The suspects, aged 39–43, face charges including fraud, computer fraud, and possession of tools intended for criminal activity, and are detained pending trial.