All news with #credential stuffing tag

🔐 Credential stuffing exploits reused login credentials harvested from breaches or captured by infostealer malware, then systematically automates login attempts across services. Attackers increasingly use bots, IP rotation and AI-assisted scripts to mimic human behavior and evade basic defenses, enabling stealthier and larger-scale attacks. Because it uses valid credentials, it often bypasses alarms that detect brute-force failures. Protect yourself with a password manager, enable 2FA/MFA, and monitor for exposed credentials.

🔐 A threat actor known as Zestix is offering corporate data reportedly stolen from dozens of companies after breaching ShareFile, Nextcloud, and OwnCloud instances. Hudson Rock links initial access to credentials harvested by infostealers such as RedLine, Lumma, and Vidar, often delivered via malvertising or ClickFix campaigns. Many affected accounts lacked multi-factor authentication, enabling unauthorized access and large-scale data exfiltration.

🔎 This post summarizes a cross‑national pattern of LinkedIn job scams in which fake employers and recruiters extract money or credentials from prospective employees. Tactics vary by market: tech‑job baiting in India, referral‑style fraud in Kenya, fake formal roles in Mexico, and credential‑harvesting schemes in Nigeria. The author emphasizes these are employer‑side frauds and distinct from scams where attackers pose as employees to secure remote work.

🔐 TRM Labs says encrypted vault backups stolen in the 2022 LastPass breach have been incrementally cracked by attackers exploiting weak master passwords, resulting in cryptocurrency drains as recently as late 2025. The firm traces over $35 million in siphoned assets, much of it laundered through CoinJoin and Russian-linked exchanges. TRM highlights how demixing and operational analysis linked activity to Russia-associated infrastructure and warns users who did not rotate credentials remain at risk.

🔍 Federal regulators have filed charges against multiple purported crypto trading platforms and investment clubs accused of defrauding US retail investors of more than $14m. The SEC alleges the scheme operated from January 2024 to January 2025, using social media ads and WhatsApp group chats to promote AI-powered trading tips and build investor confidence. Victims were directed to fund accounts on platforms including Morocoin Tech Corp., Berge Blockchain Technology Co. Ltd. and Cirkor Inc., where withdrawals were blocked and additional advance fees were requested.

🔍 Group-IB has uncovered a coordinated campaign of professionally produced fake job ads targeting MENA remote workers, exploiting the region's shift to remote roles. Ads on Facebook, Instagram and TikTok impersonate banks, e-commerce platforms and government bodies, then move conversations to WhatsApp and Telegram to harvest personal and financial data. Scammers promise quick earnings, use localized language and currencies, and reuse scripts and fake sites to scale and evade detection. Individuals are advised to verify employers, avoid sharing sensitive information and report suspicious listings.

🔒 The FBI has seized the domain web3adspanels.org and the backend database used to host thousands of stolen U.S. bank login credentials collected via phishing ads on Google and Bing. Authorities report confirmed financial losses of about $14.6 million and attempted losses near $28 million, affecting at least 19 victims including two companies in the Northern District of Georgia. The seizure, conducted with help from Estonian and other international partners, removed a server that was active as recently as November; no arrests have been announced.

🔒 Cyber criminals are increasingly recruiting insiders at banks, telecoms, and tech firms to obtain network and cloud access. Darknet adverts offer payouts ranging from $3,000 to $15,000 for account credentials or direct access, and threat actors target crypto exchanges, banks, and major cloud providers. Effective prevention requires employee education, enforced access controls, and active darknet monitoring.

🔒 Security researchers observed a coordinated credential-stuffing campaign targeting Cisco SSL VPN and Palo Alto Networks GlobalProtect portals over a two-day span in mid-December. GreyNoise reported millions of automated login sessions from more than 10,000 unique IPs, using a consistent TCP fingerprint and a Firefox-like user agent. The activity did not exploit software flaws but instead relied on large-scale username/password probes. Analysts urged enforcing strong passwords and MFA, auditing exposed edge devices, and leveraging threat-intel blocklists to filter malicious traffic.

🔒 Nathan Austad, 21, pleaded guilty to conspiring to commit computer intrusion after participating in a credential stuffing campaign that compromised more than 60,000 user accounts on a fantasy sports betting site in November 2022. Prosecutors say attackers added payment methods, drained balances and sold account access on online marketplaces; roughly $600,000 was stolen from about 1,600 victims. Investigators say Austad ran an online shop and controlled cryptocurrency wallets that received approximately $465,000 in proceeds. He acknowledged awareness of an active investigation and faces up to five years in prison, with sentencing scheduled for April 10, 2026.

🔒 Retailers face concentrated credential risk during holiday peaks as bot-driven fraud, credential stuffing and pre-staged automated attacks target logins, payment tokens and loyalty balances. Effective defenses combine adaptive MFA, bot management, rate limiting and credential-stuffing detection to stop automation without harming checkout conversion. Strong controls for staff and third parties, plus tested failovers and tools like Specops Password Policy to block compromised passwords, reduce blast radius and protect revenue.

🔒Identity-focused attacks are driving major breaches across industries, with recent vishing incidents at M&S and Co-op enabling ransomware intrusions and combined losses exceeding £500 million. Attackers harvest credentials via infostealers, targeted phishing/smishing/vishing, breached password stores and automated attacks like credential stuffing. Implement least privilege, strong unique passwords in managers, MFA (authenticator apps or passkeys), PAM and automated identity lifecycle controls to limit blast radius.

🛡️ FortiGuard Labs' 2025 holiday analysis documents a marked increase in malicious infrastructure, credential theft, and targeted exploitation of e-commerce systems during the pre-holiday period. Attackers registered tens of thousands of holiday- and retail-themed domains and sold over 1.57 million account records from stealer logs, fueling credential stuffing and account takeover. The report highlights active exploitation of critical flaws in platforms such as Magento, Oracle EBS, and WooCommerce, and emphasizes urgent mitigations: patching, MFA, bot management, domain monitoring, and payment-page integrity checks to reduce fraud and protect customers.

🔒 Social media influencers are increasingly attractive targets for cybercriminals who hijack trusted accounts to distribute scams, malware and fraudulent offers. Attackers use spearphishing, credential stuffing, brute-force attacks and SIM swapping, and AI is making those lures more convincing. Compromised accounts may be sold or used to push crypto and investment scams, exfiltrate follower data or extort victims. Practical defences include long, unique passwords, app-based 2FA, phishing awareness, device separation and up-to-date security software.

🛡️ ThreatFabric has detailed a new Android banking trojan named Sturnus that combines screen-capture, accessibility abuse, and overlays to steal credentials and enable full device takeover. The malware captures decrypted messages from WhatsApp, Telegram, and Signal by recording the device screen, serves region-specific fake banking login screens, and contacts operator servers via WebSocket/HTTP to receive encrypted payloads and enable remote VNC-style control. It resists cleanup by blocking uninstallation and leveraging administrator privileges.

🔒Sturnus is a new Android banking trojan discovered by ThreatFabric that can capture decrypted messages from end-to-end encrypted apps like Signal, WhatsApp, and Telegram. It abuses Accessibility services and on-screen capture to read message content and deploys HTML overlays to harvest banking credentials. The malware also supports real-time, AES-encrypted VNC remote control and obtains Android Device Administrator privileges to resist removal while targeting European financial customers with region-specific overlays.

🔒 Kunal Mehta, a 45-year-old from Irvine, has pleaded guilty to laundering at least $25 million connected to a wider $230 million cryptocurrency theft. Court documents say Mehta served as a money launderer for a transnational ring that used social engineering between October 2023 and March 2025 to access victims' crypto accounts. Prosecutors allege he created multiple shell companies in 2024, routed wire transfers into bank accounts designed to appear legitimate, and typically charged a 10% fee for converting stolen crypto to cash. Investigators say the group employed mixers, peel chains, pass-through wallets, VPNs, and conversions to Monero, though operational mistakes helped link laundered funds back to the theft.

🔒 Security researchers from Socura and Flare found around 460,000 compromised credentials tied to FTSE 100 domains across clear- and dark-web crime communities, including 28,000 entries from infostealer logs. The report notes many companies had thousands of leaks and that password hygiene remains poor, with 59% having at least one user using 'password'. It recommends MFA, passkeys, password managers, conditional access and proactive leak monitoring.

🚨 The UK's National Crime Agency (NCA) has launched the "Crypto Dream Scam Nightmare" campaign to warn men under 45 about crypto investment fraud that lures victims with professional sites, apps and romance baiting. The initiative, part of the Home Office's Stop! Think Fraud programme, includes a short video and a 10-tip info sheet to help people recognise and avoid scams. The NCA noted Action Fraud logged over 17,000 investment fraud reports last year.

🔒 Sekoia warns of a large-scale phishing campaign targeting hotel staff that uses ClickFix-style pages to harvest credentials and deliver PureRAT. Attackers impersonate Booking.com in spear-phishing emails, redirect victims through a scripted chain to a fake reCAPTCHA page, and coerce them into running a PowerShell command that downloads a ZIP containing a DLL-side‑loaded backdoor. The modular RAT supports remote access, keylogging, webcam capture and data exfiltration and persists via a Run registry key.