All news with #credential stuffing tag

🔐 Computer-using agents (CUAs) — AI systems that perceive screens and act like humans — are poised to scale phishing and credential-stuffing attacks by automating UI interactions, adapting to layout changes, and bypassing anti-bot defenses. Organizations should move beyond passwords and shared-secret MFA to device-bound, cryptographic authentication such as FIDO2 passkeys and PKI-based certificates to reduce large-scale compromise. SaaS vendors must integrate with identity platforms that support phishing-resistant credentials to strengthen overall security.

🔐 The article outlines how everyday credential reuse and phishing feed a persistent compromise lifecycle: credentials are created, stolen, aggregated, tested, and ultimately exploited. It details common vectors — phishing, credential stuffing, third-party breaches, and leaked API keys — and describes criminal marketplaces, botnets, opportunistic fraudsters, and organized crime as distinct actors. Consequences include account takeover, lateral movement, data theft, resource abuse, and ransomware, and the piece urges immediate action such as scanning for leaked credentials with tools like Outpost24's Credential Checker.

🛡️ Proofpoint has identified a previously unknown cluster it calls UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. Attackers initiated benign, topical conversations and used think‑tank impersonation alongside an OnlyOffice‑styled link that led to health-themed domains harvesting credentials and delivering a ZIP with an MSI. The installer deployed remote monitoring and management tooling — notably PDQConnect and later ISL Online — and although email activity paused in early August, related infrastructure later surfaced hosting TA455-linked malware, leaving attribution unresolved.

🔒 FortiGuard Incident Response observed that in H1 2025 financially motivated actors frequently used stolen credentials and legitimate remote-access software to gain and extend access across environments. Adversaries relied on compromised VPN logins, password reuse, or purchased credentials, deploying tools like AnyDesk, Splashtop, Atera and ScreenConnect to move laterally and exfiltrate data manually. These intrusions often bypass endpoint-focused defenses because activity mimics normal user behavior, so FortiGuard emphasizes identity- and behavior-driven detection, broad MFA enforcement, and monitoring of remote access tooling.

🔍 Security researchers at Varonis identified a modular remote access trojan named Atroposia, first seen on October 15 and promoted on underground forums. The toolkit includes encrypted C2 channels, hidden remote desktop takeover (HRDP Connect), credential and cryptocurrency wallet theft, DNS hijacking, vulnerability scanning and robust persistence. It is offered via subscription tiers and can be combined with services like SpamGPT and MatrixPDF to automate phishing and delivery. Recommended defenses include phishing reduction, timely patching, MFA enforcement and monitoring for post-compromise activity.

⚠️ Check Point researchers uncovered a long-running operation that uploaded and promoted over 3,000 YouTube videos linking to malware downloads. The network, dubbed the YouTube Ghost Network, has been active since 2021 and saw its volume triple this year, using hacked channels and a role-based structure to sustain distribution. Videos offering pirated software and Roblox cheats pointed users to cloud-hosted files or phishing pages that deployed stealers and Node.js loaders, and Google has removed the majority of identified content.

🔎 GTIG describes a targeted campaign by a Vietnam-based cluster tracked as UNC6229 that uses fake job postings on legitimate platforms to socially engineer remote digital advertising workers. Victims are enticed to open password-protected attachments or visit convincing phishing portals that harvest corporate credentials and can bypass MFA. The actors abuse reputable CRM and SaaS services to increase trust, deliver remote access trojans, and ultimately take over high-value advertising and social media accounts for sale or resale.

🔒Researchers detail a threat cluster called Jingle Thief that leverages phishing and smishing to harvest credentials and compromise cloud environments of retailers and consumer services to issue unauthorized gift cards. Palo Alto Networks Unit 42 links the activity to financially motivated actors and notes coordinated campaigns in April-May 2025. The attackers favor identity misuse over malware, persistently mapping tenants, abusing Microsoft 365 services, and minimizing logs to sustain large-scale fraud.

🔒 In a coordinated operation, eight suspects attempted to hijack unemployment payments by accessing roughly 20,000 accounts of the Federal Employment Agency (BA) between late January and mid‑March. Investigators report about 1,000 accounts were accessed and bank details altered in 150 cases; early intervention limited losses to under €1,000. Searches across several states recovered devices, cash, weapons and narcotics, and two suspects are currently detained.

🔒 DraftKings has notified customers that attackers accessed some accounts in a wave of credential stuffing attacks. The company says the threat actors used credentials stolen from non‑DraftKings sources to log in and may have viewed limited profile and account data — including name, address, date of birth, email, phone, the last four digits of a payment card, profile photo, transaction history, account balance, and the date the password was last changed. DraftKings said no full financial account numbers or government‑issued identification numbers were accessed. Affected users will be required to reset passwords and are being urged to enable multifactor authentication and monitor their financial and credit records.

🔒 Malwarebytes has flagged a phishing campaign that impersonated 1Password’s Watchtower breach alerts, nearly tricking an employee into surrendering their vault credentials. The message used authentic branding, familiar phrasing and urgency cues, and embedded legitimate-seeming support links before redirecting victims via Mandrill to a typosquatted credential‑stealing page. By Oct. 2 multiple vendors had marked the site as phishing and Mandrill blocked the redirect, but earlier clicks may already have exposed entire vaults.

🔍 Check Point Research found a marked rise in Amazon Prime Day scams during the first three weeks of September 2025, driven by malicious domains, phishing emails, and credential-harvesting pages that mimic legitimate Amazon communications. Attackers are exploiting urgency and trusted branding to capture login and payment details. Consumers and organizations should verify senders and domains, enable MFA, apply robust email filters, and monitor account activity to reduce exposure.

⚠️ The FBI warns that cybercriminals are creating spoofed versions of the Internet Crime Complaint Center (IC3) website to harvest personally identifiable information and facilitate financial scams. The agency noted over 100 reports between December 2023 and February 2025 prompting a public service announcement and flagged domains that mimic ic3.gov. Users are advised to type www.ic3.gov directly, avoid sponsored search results, never share sensitive data, and remember the FBI will never ask for payment to recover funds.

🔒 Thales' Imperva analysed telemetry from over 4,000 environments and reported about 40,000 API incidents in H1 2025, finding APIs now attract 44% of advanced bot traffic. Key findings included a 40% rise in credential-stuffing and account-takeover attempts against APIs without adaptive MFA, plus data scraping (31%) and coupon/payment fraud (26%). Financial services, telecoms and travel were among the most targeted sectors, and Thales warned the pace and sophistication of attacks will continue to increase.

🔒 Browser-targeted attacks are rising as adversaries treat the browser as the primary access point to cloud services and corporate data. The article defines browser-based attacks and enumerates six high-risk techniques: credential and session phishing, ClickFix-style copy-and-paste exploits, malicious OAuth consent flows, rogue extensions, malicious file delivery, and credential reuse where MFA gaps exist. These vectors are effective because modern work happens in decentralized SaaS environments and across many delivery channels, making traditional email- and network-centric defenses less reliable. The piece highlights visibility gaps for security teams and points to vendor platforms such as Push Security that claim to provide in-browser detection and remediation for AiTM phishing, OAuth abuse, and session hijacking.

🔒 Rapid7 and SonicWall report a surge in intrusions tied to the Akira ransomware group exploiting a year-old SSL VPN vulnerability, CVE-2024-40766 (CVSS 9.3), and LDAP misconfigurations that retained local passwords during migrations. Attackers are brute-forcing credentials, abusing SonicWall's Virtual Office defaults to enable mMFA/TOTP, and using loaders like Bumblebee to deploy AdaptixC2 and persistent tools. SonicWall urges rotating local accounts, enabling Botnet Filtering and Account Lockout, enforcing MFA, restricting Virtual Office access, and reviewing LDAP default groups.

🔒 Kosovo national Liridon Masurica has pleaded guilty to operating the cybercrime marketplace BlackDB.cc, which the Justice Department says sold compromised accounts, server credentials, stolen credit cards, and PII since 2018. Masurica was arrested in Kosovo in December 2024, extradited to the United States in May 2025, and is detained following a court appearance in Tampa. He faces federal charges that include five counts of fraudulent use of unauthorized access devices and a conspiracy count, carrying up to 55 years in prison. The FBI coordinated the investigation with Kosovo law enforcement and international partners.

🔍 Researchers link a social engineering campaign to the North Korea–linked Lazarus Group that distributed three cross-platform RATs — PondRAT, ThemeForestRAT, and RemotePE — against a decentralized finance (DeFi) organization. Fox-IT observed the actors impersonating an employee on Telegram and using fake Calendly/Picktime pages to arrange meetings and gain a foothold via a loader named PerfhLoader. The intrusion delivered multiple tools (screenshotter, keylogger, credential stealers, Mimikatz, proxy programs) and saw an operational progression from the primitive PondRAT to the in-memory ThemeForestRAT, culminating in the more advanced RemotePE for high-value access.

🔐 The Picus Blue Report 2025 finds that password cracking succeeded in 46% of tested environments, while Valid Accounts (T1078) exploitation achieved a 98% success rate. Many organizations still rely on weak passwords, outdated hashing, and lax internal controls, leaving credential stores exposed. The report urges adoption of widespread MFA, stronger password policies, routine credential-validation simulations, and improved behavioral detection to reduce undetected lateral movement and data theft.