All news with #credential stuffing tag

🔒 A Romanian national was sentenced to 56 months in federal prison after pleading guilty to aggravated identity theft and unauthorized access to an Oregon state government computer network. The 46-year-old, known online as "inthematrixl," also sold access and stolen personal data from other U.S. victims, causing at least $250,000 in losses. Authorities coordinated internationally to arrest and extradite him, and the court ordered forfeiture of cryptocurrency and supervised release.

📧 Recent phishing campaigns exploit Google’s AppSheet platform to send convincing emails from a legitimate noreply{@}appsheet.com address, making them likely to bypass filters. Attackers craft personalized messages — urgent warnings or enticing job offers — to trick victims into submitting identity details on clone sites, then harvest credentials and data. The compromises can lead to account takeover, device control, and secondary targeted attacks using the stolen information.

🔒 Subscription services are widespread and often contain personal data, making them attractive targets for attackers. The article outlines common attack vectors — phishing, credential reuse, infostealers, and bulk-resale of hacked family slots — and explains practical defenses: use password managers, enable two-factor authentication or passkeys, and monitor active sessions. It also advises how to spot phishing and track hidden recurring charges through bank statements and app-store settings.

🐛 PCPJack is a new worm that targets exposed cloud infrastructure to harvest credentials while actively removing traces of rival group TeamPCP. It infects Linux systems via a shell script (bootstrap.sh), establishes persistence (monitor.py), and propagates by scanning for exposed Docker, Kubernetes, Redis, MongoDB and RayML services. Stolen credentials are encrypted with X25519/ChaCha20-Poly1305 and exfiltrated to Telegram channels; researchers recommend MFA, IMDSv2 and least-privilege controls.

🔒 A phishing campaign abused Google sponsored search results to deliver a live adversary-in-the-middle (AitM) proxy that mimics ManageWP's sign-in page, placing the fake result above the legitimate one for the "managewp" query. Any credentials entered are exfiltrated to a Telegram channel and used in real time to bypass 2FA. Guardio Labs infiltrated the attackers' C2, observed an operator-driven phishing framework, and confirmed around 200 unique victims.

🔐 A Vietnamese-linked operation used a Google AppSheet address as a phishing relay to distribute credential-harvesting pages and compromise roughly 30,000 Facebook accounts. Guardio, calling the scheme AccountDumpling, says stolen accounts are resold via an illicit storefront after exfiltration to Telegram channels. Lures hosted on Netlify, Vercel and Google Drive, plus Canva-generated PDFs, were used to harvest passwords, 2FA codes, IDs and business data, leaving many victims locked out.

🔍 Flare researchers examined a recent forum post in which a threat actor details a structured OPSEC framework aimed at sustaining high-volume carding operations while avoiding detection. The actor prescribes a three-tier architecture—public, operational, and extraction layers—with strict identity compartmentalization, residential IP rotation, and isolated cashout channels. The post highlights recurring failures like identity reuse, metadata leakage, and weak anti-fingerprinting, and recommends resilience measures such as time-delayed triggers and dead man's switches. For defenders, it underscores the need to link cross-platform identities, evolve behavioral detection, and monitor the full attack chain.

🔒 Arctic Wolf attributes a large-scale spear-phishing campaign to BlueNoroff, a subgroup of the Lazarus Group, which targeted more than 100 cryptocurrency and fintech organizations across 20+ countries. The operation used typosquatted Zoom and Microsoft Teams links, manipulated Calendly invites, fake meeting interfaces and ClickFix-style clipboard injection to harvest credentials and wallet data. Researchers observed a self-sustaining deepfake pipeline, PowerShell-based C2, AES-encrypted browser payloads and Telegram-based exfiltration, with some intrusions persisting for 66 days.

🛡️Scammers are creating convincing fake tax authority websites worldwide to harvest credentials, steal personal data, and distribute malware embedded in downloaded “documents.” These portals also run fraudulent paid services that collect taxpayer identifiers and financial details for later abuse. Cryptocurrency holders are specifically targeted with fake verification flows that request seed phrases or wallet connections, leading to immediate theft. Kaspersky cautions against using cloud-hosted AI for tax preparation and recommends sticking to verified official channels, encrypting sensitive files, and employing reputable security tools.

🛡️ Security researchers at Socket and StepSecurity have identified malicious versions of pgserve and automagik published to the npm registry that execute a credential-harvesting payload during installation. The trojans collect tokens, SSH keys, cloud credentials (AWS, Azure, GCP), browser passwords and crypto wallet funds, and attempt to propagate by using any npm publish tokens found on infected machines. Stolen data is encrypted and exfiltrated to a decentralized ICP canister, chosen specifically to resist takedown. Developers are urged to rotate all credentials immediately, disable automatic postinstall scripts (npm config set ignore-scripts true), harden CI/CD egress and tighten token scopes.

🔐 Attackers increasingly rely on stolen credentials—via credential stuffing, password spraying and phishing—to gain immediate, low-noise access. Legitimate logins often evade detection, allowing adversaries to dump additional passwords, move laterally, and persist. The author warns that AI is accelerating these techniques and advocates a DAIR (Dynamic Approach to Incident Response) loop, plus clear communication and hands-on training to contain and remediate identity-based intrusions.

🔒 Tyler Robert Buchanan, a 24-year-old British national believed to lead the Scattered Spider cybercrime collective, has pleaded guilty in U.S. federal court to wire fraud and aggravated identity theft in connection with cryptocurrency thefts. Prosecutors say Buchanan and co-conspirators used large-scale SMS phishing campaigns and SIM swap attacks to steal at least $8 million from companies and individuals between September 2021 and April 2023. Buchanan was arrested in June 2024 in Palma de Mallorca, has been in U.S. custody since April 2025, and faces a statutory maximum of 22 years; sentencing is scheduled for August 21, 2026.

🔍 Flare analysts recovered a forum document, The Underground Guide to Legit CC Shops, that explains how fraud actors vet stolen credit card marketplaces. The guide shifts emphasis from opportunistic card use to disciplined supplier evaluation, offering a technical checklist (domain age, WHOIS, SSL), social‑intel techniques, and strict OPSEC recommendations. It also highlights how shops emulate legitimate e‑commerce (pricing, ticketing, escrow) and warns of commercial bias in endorsed services.

🔒 Kamerin Stokes, 23, was sentenced to 30 months in prison after selling access to tens of thousands of hacked accounts tied to DraftKings. Prosecutors say a November 2022 credential‑stuffing attack led by Nathan Austad (aka Snoopy) with accomplice Joseph Garrison compromised nearly 68,000 accounts; the group stole about $635,000 from roughly 1,600 accounts and generated over $2.1 million selling hacked accounts. Stokes, who operated as TheMFNPlug, briefly reopened his shop after pleading guilty with the tagline fraud is fun, was remanded for violating pretrial conditions, and was ordered to pay $1,327,061 in restitution and $125,965.53 in forfeiture, plus three years of supervised release.

🔓 A data set allegedly belonging to Rockstar Games was published by the ShinyHunters extortion group after they say authentication tokens were stolen from Anodot and used to access connected Snowflake accounts. The leak reportedly contains more than 78.6 million records of internal analytics — including in‑game revenue, purchase metrics, player behavior, and game economy data for GTA Online and Red Dead Online — plus Zendesk support analytics. Rockstar said only a limited amount of non‑material company information was accessed and that the incident does not affect players.

🔓 Cisco Talos has linked a large-scale credential harvesting campaign to a threat cluster tracked as UAT-10608 that exploited CVE-2025-55182 in React Server Components and the Next.js App Router to breach at least 766 hosts. The intruders deployed a multi-stage dropper that collected environment variables, SSH keys, cloud metadata credentials, API keys, and other secrets before aggregating them in a password-protected web GUI called NEXUS Listener. Researchers accessed an exposed instance and observed a broad array of stolen items, including Stripe keys, GitHub tokens, AI platform keys, webhook secrets, and database connection strings. Organizations are urged to patch vulnerable Next.js deployments, enforce least privilege, enable IMDSv2, rotate credentials, and implement secret scanning.

🛡️ Modern fraud attacks function like a relay race: adversaries use bots, leaked credentials, and residential proxies to create large numbers of plausible accounts, then pivot to slower, human-driven sessions for logins and cash-out. Point-in-time, single-signal checks (IP, email, device) generate false positives and miss adaptive, multi-stage chains. The piece argues for correlating IP, identity, device, and behavioral signals into a unified risk model to reduce friction for legitimate users while stopping coordinated abuse.

🔒 Threat actors are abusing the no-code Bubble AI app builder to host phishing pages that harvest Microsoft account credentials. Because apps are hosted under *.bubble.io, email security tools often treat the links as legitimate and fail to flag them. Kaspersky researchers found attackers use obfuscated JavaScript and Shadow DOM structures to redirect victims to Microsoft-like login forms, sometimes behind Cloudflare checks, to exfiltrate entered credentials.

🔍 CrowdStrike linked a spike in script-execution detections to a compromised GitHub Action, aquasecurity/trivy-action, used widely in CI/CD pipelines. An attacker force‑repointed 76 of 77 release tags to commits that prepended a ~105‑line credential stealer to the legitimate entrypoint, enabling secret harvesting on both GitHub-hosted and self‑hosted runners. Harvested data was encrypted with AES-256-CBC and a hardcoded 4096‑bit RSA key, then exfiltrated via a typosquatted domain and, as a fallback, by creating public GitHub releases under victim accounts; the malicious code then invoked the original scanner to hide its activity.

✈️ Flare researchers found that airline miles and hotel points are being treated as commodities in underground markets, where stolen loyalty accounts are traded, redeemed for legitimate bookings, and resold at discounts. Actors post inventory-style listings in messaging groups, often advertising full email access to reduce recovery chances. Observed pricing averaged roughly $1 per 1,000 miles, and major programs were favored for liquidity and resale value. The fraud chain typically follows a four-stage cycle from account takeover to resale.