< ciso
brief />
Tag Banner

All news with #phishing tag

695 articles · page 10 of 35

Venom Stealer MaaS Automates Continuous Credential Theft

🔐 Venom Stealer is a malware-as-a-service platform that automates credential harvesting and continuous data exfiltration, marketed on cybercrime forums with subscriptions from $250/month to $1,800 for lifetime access. Researchers at BlackFog report the product integrates ClickFix social-engineering templates into its operator panel, enabling attackers to orchestrate fake Cloudflare CAPTCHAs, update prompts and other lures that trick users into executing payloads. Once active the stealer persistently monitors Chromium- and Firefox-based stores for new credentials, harvests cookies, autofill, browsing history and wallet data, and forwards information to GPU-backed cracking and automated transfer systems.
read more →

Casbaneiro Phishing Targets Latin America and Europe

🛡️ A coordinated phishing campaign attributed to Brazilian operators known as Augmented Marauder and Water Saci is targeting Spanish-speaking users across Latin America and Europe to deliver Windows banking trojans, notably Casbaneiro, using a secondary spreader named Horabot. The attack begins with court-summons-themed emails containing password‑protected PDFs that link to ZIP archives which deploy HTA, VBS, and AutoIt loaders to unpack encrypted payloads. Researchers at BlueVoyant say the threat actor combines WhatsApp automation, ClickFix social engineering, and an email‑hijacking engine that forges bespoke PDFs via a remote API and abuses compromised Outlook accounts to forward tailored phishing messages.
read more →

AWS Launches End User Messaging Notify for OTPs Worldwide

📩 AWS announced AWS End User Messaging Notify, a service that lets developers send one-time passcodes (OTPs) within minutes using phone numbers and sender IDs owned by AWS. Developers configure a brand name, enable SMS, voice, or both, and use ready-to-use templates to send messages to over 200 countries. Every API call includes built-in SMS fraud protection via AWS End User Messaging SMS Protect at no extra cost, and spend limits can pause delivery if thresholds are met. Notify is available in all AWS Regions where End User Messaging is offered.
read more →

Phantom Stealer: .NET Infostealer Hits European Firms

🔍Phantom Stealer, a .NET-based infostealer sold as part of a commercial cybercrime toolkit, harvests browser credentials, cookies, saved passwords, autofill and payment card details as well as messaging and email session data from infected systems. Group-IB observed a sustained phishing campaign between November 2025 and January 2026 that targeted logistics, manufacturing and technology organizations across Europe in five waves. Emails impersonated an equipment trading company and carried archive attachments with obfuscated JavaScript droppers or malicious executables. Indicators such as SPF failures, missing DKIM, reused templates and consistent spelling mistakes pointed to automated, template-driven stealer-as-a-service activity, with stolen data exfiltrated via messaging platforms, SMTP and FTP.
read more →

WhatsApp-delivered VBS Campaign Installs MSI Backdoors

🛡️ Microsoft Defender Experts (DEX) observed a late-February 2026 campaign leveraging WhatsApp messages to deliver malicious Visual Basic Script (VBS) files. Executing the VBS creates hidden folders under C:\ProgramData, drops renamed legitimate Windows utilities, and uses them to download additional payloads from cloud services such as AWS, Tencent Cloud, and Backblaze B2. Attackers escalate privileges, tamper with UAC and registry settings, and install unsigned MSI packages to establish persistent remote access. Microsoft recommends hardening script hosts, monitoring cloud traffic and registry changes, and enabling Defender protections.
read more →

Tax Season Sees New Phishing and RMM-based Tactics

🧾Proofpoint researchers reported a surge of tax-themed campaigns in early 2026 delivering malware, remote access tools, fraud schemes and credential-phishing. The advisory published on March 30 notes increasing use of remote monitoring and management (RMM) tools and activity from newly identified threat actors. Attacks include BEC requests for W-2/W-9 forms and fake login pages targeting W-8BEN updates. Organisations are advised to educate users and monitor for topical tax lures during filing periods.
read more →

ICO fines UK alarm provider £100,000 for nuisance calls

📞 The Information Commissioner’s Office (ICO) fined Birmingham-based monitored alarm provider TMAC £100,000 after staff used false identities on marketing sales calls and the firm made over 260,000 calls to numbers registered on the Telephone Preference Service. The ICO said TMAC deliberately targeted individuals over 60 between February and September 2024, impersonating local crime and fire prevention initiatives to trick recipients. The regulator stressed these actions breached the Privacy and Electronic Communications Regulations and highlighted the importance of public reporting in enabling enforcement.
read more →

Fake VS Code Security Alerts on GitHub Spread Malware

🚨 A large-scale campaign is abusing GitHub Discussions to post fake Visual Studio Code security advisories that trick developers into downloading malware. The spam posts use realistic titles, fabricated CVE identifiers, impersonated maintainers, and mass tagging to trigger email notifications to watchers. Links often point to external hosts (commonly Google Drive) that redirect to a domain running JavaScript reconnaissance which profiles victims and forwards data to a command-and-control server. Security vendor Socket says the activity is automated and coordinated across thousands of repositories.
read more →

New AiTM Phishing Campaign Targets TikTok for Business

🔒 Push Security has observed a coordinated wave of Adversary-in-the-Middle (AiTM) phishing pages specifically targeting TikTok for Business accounts. The malicious domains were registered on March 24 in a rapid, nine-second window and are hosted behind Cloudflare using Nicenic International Group as registrar. Victims are redirected through legitimate Google Cloud Storage links, presented with TikTok- or Google-themed content, and ultimately confronted with a reverse-proxy AiTM login flow after completing an initial information form.
read more →

AitM Phishing Campaign Targets TikTok for Business

🔒 Push Security warns of an adversary-in-the-middle (AitM) phishing campaign that seizes control of TikTok for Business accounts by presenting victims with malicious credential-capture pages after a Cloudflare Turnstile check. Lures include lookalike TikTok for Business and fake Google Careers pages, sometimes offering scheduled calls to gain trust. The attackers host pages on multiple domains and use the Turnstile challenge to evade automated scanners. Separately, WatchGuard reported SVG attachments used to deliver a Go-based malware artifact linked to BianLian-style activity.
read more →

Dutch Police Reports Limited Breach After Phishing Attack

🔒 The Dutch National Police disclosed a security breach stemming from a successful phishing attack, saying the incident was detected quickly and access was blocked by its Security Operations Center. Officials describe the impact as limited and state that citizens' data and investigative information were not accessed. A criminal investigation and an internal probe into affected systems are ongoing.
read more →

Phishing Campaign Targets TikTok for Business Accounts

🔒 Threat actors are targeting TikTok for Business accounts with Cloudflare-hosted phishing pages that evade bot detection by using Google Storage redirects and a Cloudflare Turnstile check. Victims first see fake forms that request business-email validation and are then shown a reverse-proxy login page that captures credentials and session cookies, allowing account takeover even with 2FA enabled. Push Security links the activity to a campaign that previously targeted Google Ad Manager and notes multiple NiceNIC-registered domains hosted in the same Google Storage bucket. Users should verify domains, treat unsolicited invites cautiously, and prefer passkeys for high-value accounts.
read more →

GitHub Phishing Uses Fake OpenClaw Tokens to Drain Wallets

🔒 Threat actors are exploiting interest in OpenClaw with a GitHub phishing campaign that lures developers with fake 'CLAW' token airdrops promising thousands of dollars. Attackers open issues, tag developers, and redirect victims to cloned sites that prompt users to connect their crypto wallets. Researchers at OX Security found obfuscated wallet‑stealing code and a C2 server used to collect addresses and drain funds. Recommended actions include blocking the phishing domain and revoking suspicious wallet approvals.
read more →

Invoice Fraud Costs UK Construction Sector Millions

⚠️ The UK's NCA, alongside the National Federation of Builders (NFB), has warned finance and accounts payable teams in construction about a rise in invoice fraud, a form of BEC that cost victims almost £4m in September 2025. Fraudsters impersonate or hijack supplier emails to change bank details on invoices, exploiting complex subcontractor networks and insecure email channels. The campaign urges staff to verify invoice changes by calling suppliers, delay payments until details are confirmed, and strengthen IT controls such as strong passwords, multi‑factor authentication and up‑to‑date anti‑malware.
read more →

Spammers Abuse Yandex Surveys to Host Phishing Campaigns

⚠️ Kaspersky researchers have observed threat actors abusing Yandex Surveys to host phishing content and evade email filters by leveraging the platform's legitimate domain reputation. Attackers embed fraudulent pitches and malicious links in rich-text survey blocks, add official-looking logos, then hide interface elements with invisible padding; Kaspersky Premium blocked about 2,200 such messages in January and over 32,000 in February. Recipients who follow the links land on polished giveaway pages that harvest personal data, wallet addresses, or payments.
read more →

Phishers Abuse Bubble to Steal Microsoft Account Credentials

🔒 Threat actors are abusing the no-code Bubble AI app builder to host phishing pages that harvest Microsoft account credentials. Because apps are hosted under *.bubble.io, email security tools often treat the links as legitimate and fail to flag them. Kaspersky researchers found attackers use obfuscated JavaScript and Shadow DOM structures to redirect victims to Microsoft-like login forms, sometimes behind Cloudflare checks, to exfiltrate entered credentials.
read more →

Device Code Phishing Targets 340 Microsoft Orgs Globally

🔐 Huntress is tracking an active device code phishing campaign targeting Microsoft 365 identities at over 340 organizations across the US, Canada, Australia, New Zealand, and Germany. The attackers use Cloudflare Workers redirects and Railway.com-hosted infrastructure to harvest OAuth access and refresh tokens that remain valid after password resets. Sectors hit include construction, non-profits, real estate, manufacturing, finance, healthcare, legal and government.
read more →

Phishing Impersonating Palo Alto Networks Recruiters

🔔 Unit 42 reports a targeted phishing campaign where attackers impersonate Palo Alto Networks talent acquisition staff to lure senior professionals. Adversaries use scraped LinkedIn data, company logos, and look-alike email domains to claim candidates’ resumes fail applicant tracking systems and pressure them into paid 'ATS alignment' services. Recipients are advised to verify sender domains, refuse payment requests, avoid suspicious attachments, and report incidents to corporate security and Unit 42 for assistance.
read more →

Fake Resume Phishing Deploys Miners and Steals Credentials

📄 A targeted phishing campaign leverages fake French-language resumes containing heavily obfuscated Visual Basic Script droppers to steal enterprise credentials and deploy a Monero miner. The operation, tracked as FAUX#ELEVATE by Securonix, abuses legitimate services including Dropbox, compromised WordPress sites in Morocco for C2 configuration, and mail[.]ru SMTP accounts for exfiltration. The dropper uses sandbox-evasion techniques, a domain-join gate, and a persistent UAC loop to obtain admin privileges, disable defenses and execute its multi-stage toolkit rapidly.
read more →

Phishers Using Bubble No-Code Platforms for Redirects

🔗 Phishers are exploiting the Bubble no-code app builder to host web apps whose URLs appear legitimate and thus evade email filters. The platform’s dense JavaScript and Shadow DOM output confuses automated scanners, masking simple redirects to credential-harvesting pages. These Bubble-hosted apps are embedded in phishing messages and lead victims to convincing Microsoft sign‑in clones. Organizations should combine user training with endpoint protections and gateway anti-phishing controls to reduce risk.
read more →