All news with #credential stuffing tag

🔒 In a coordinated operation, eight suspects attempted to hijack unemployment payments by accessing roughly 20,000 accounts of the Federal Employment Agency (BA) between late January and mid‑March. Investigators report about 1,000 accounts were accessed and bank details altered in 150 cases; early intervention limited losses to under €1,000. Searches across several states recovered devices, cash, weapons and narcotics, and two suspects are currently detained.

🔒 DraftKings has notified customers that attackers accessed some accounts in a wave of credential stuffing attacks. The company says the threat actors used credentials stolen from non‑DraftKings sources to log in and may have viewed limited profile and account data — including name, address, date of birth, email, phone, the last four digits of a payment card, profile photo, transaction history, account balance, and the date the password was last changed. DraftKings said no full financial account numbers or government‑issued identification numbers were accessed. Affected users will be required to reset passwords and are being urged to enable multifactor authentication and monitor their financial and credit records.

🔒 Malwarebytes has flagged a phishing campaign that impersonated 1Password’s Watchtower breach alerts, nearly tricking an employee into surrendering their vault credentials. The message used authentic branding, familiar phrasing and urgency cues, and embedded legitimate-seeming support links before redirecting victims via Mandrill to a typosquatted credential‑stealing page. By Oct. 2 multiple vendors had marked the site as phishing and Mandrill blocked the redirect, but earlier clicks may already have exposed entire vaults.

🔍 Check Point Research found a marked rise in Amazon Prime Day scams during the first three weeks of September 2025, driven by malicious domains, phishing emails, and credential-harvesting pages that mimic legitimate Amazon communications. Attackers are exploiting urgency and trusted branding to capture login and payment details. Consumers and organizations should verify senders and domains, enable MFA, apply robust email filters, and monitor account activity to reduce exposure.

⚠️ The FBI warns that cybercriminals are creating spoofed versions of the Internet Crime Complaint Center (IC3) website to harvest personally identifiable information and facilitate financial scams. The agency noted over 100 reports between December 2023 and February 2025 prompting a public service announcement and flagged domains that mimic ic3.gov. Users are advised to type www.ic3.gov directly, avoid sponsored search results, never share sensitive data, and remember the FBI will never ask for payment to recover funds.

🔒 Thales' Imperva analysed telemetry from over 4,000 environments and reported about 40,000 API incidents in H1 2025, finding APIs now attract 44% of advanced bot traffic. Key findings included a 40% rise in credential-stuffing and account-takeover attempts against APIs without adaptive MFA, plus data scraping (31%) and coupon/payment fraud (26%). Financial services, telecoms and travel were among the most targeted sectors, and Thales warned the pace and sophistication of attacks will continue to increase.

🔒 Browser-targeted attacks are rising as adversaries treat the browser as the primary access point to cloud services and corporate data. The article defines browser-based attacks and enumerates six high-risk techniques: credential and session phishing, ClickFix-style copy-and-paste exploits, malicious OAuth consent flows, rogue extensions, malicious file delivery, and credential reuse where MFA gaps exist. These vectors are effective because modern work happens in decentralized SaaS environments and across many delivery channels, making traditional email- and network-centric defenses less reliable. The piece highlights visibility gaps for security teams and points to vendor platforms such as Push Security that claim to provide in-browser detection and remediation for AiTM phishing, OAuth abuse, and session hijacking.

🔒 Rapid7 and SonicWall report a surge in intrusions tied to the Akira ransomware group exploiting a year-old SSL VPN vulnerability, CVE-2024-40766 (CVSS 9.3), and LDAP misconfigurations that retained local passwords during migrations. Attackers are brute-forcing credentials, abusing SonicWall's Virtual Office defaults to enable mMFA/TOTP, and using loaders like Bumblebee to deploy AdaptixC2 and persistent tools. SonicWall urges rotating local accounts, enabling Botnet Filtering and Account Lockout, enforcing MFA, restricting Virtual Office access, and reviewing LDAP default groups.

🔒 Kosovo national Liridon Masurica has pleaded guilty to operating the cybercrime marketplace BlackDB.cc, which the Justice Department says sold compromised accounts, server credentials, stolen credit cards, and PII since 2018. Masurica was arrested in Kosovo in December 2024, extradited to the United States in May 2025, and is detained following a court appearance in Tampa. He faces federal charges that include five counts of fraudulent use of unauthorized access devices and a conspiracy count, carrying up to 55 years in prison. The FBI coordinated the investigation with Kosovo law enforcement and international partners.

🔍 Researchers link a social engineering campaign to the North Korea–linked Lazarus Group that distributed three cross-platform RATs — PondRAT, ThemeForestRAT, and RemotePE — against a decentralized finance (DeFi) organization. Fox-IT observed the actors impersonating an employee on Telegram and using fake Calendly/Picktime pages to arrange meetings and gain a foothold via a loader named PerfhLoader. The intrusion delivered multiple tools (screenshotter, keylogger, credential stealers, Mimikatz, proxy programs) and saw an operational progression from the primitive PondRAT to the in-memory ThemeForestRAT, culminating in the more advanced RemotePE for high-value access.

🔐 The Picus Blue Report 2025 finds that password cracking succeeded in 46% of tested environments, while Valid Accounts (T1078) exploitation achieved a 98% success rate. Many organizations still rely on weak passwords, outdated hashing, and lax internal controls, leaving credential stores exposed. The report urges adoption of widespread MFA, stronger password policies, routine credential-validation simulations, and improved behavioral detection to reduce undetected lateral movement and data theft.