All news with #phishing tag

🔐 Starkiller is a phishing-as-a-service that dynamically loads live login pages and proxies user interactions through attacker-controlled infrastructure. It generates deceptive URLs that visually mimic legitimate domains (for example using an @-based URL trick), spins up containerized headless browsers, and records every keystroke, session token, and MFA code. The platform streams sessions in real time, harvests cookies and MFA codes, and delivers campaign analytics and Telegram alerts to customers.

⚠️ Proofpoint uncovered TrustConnect, a malware-as-a-service that masquerades as a legitimate remote monitoring and management (RMM) product and is advertised at about $300 per month. The operation uses a polished public website and a backend portal that functions as a web-based command-and-control dashboard for paying customers. Attackers primarily rely on social engineering — phishing lures and signed installers impersonating Zoom, Teams, Adobe Reader and others — to trick victims into running the RAT, which auto-registers infected hosts in the portal. Researchers disrupted parts of the infrastructure but observed resilient activity and a related variant called DocConnect.

🔒 Elastic Security Labs disclosed a ClickFix campaign that leverages compromised legitimate websites to deliver a new remote access trojan named MIMICRAT. Attackers inject JavaScript to load an externally hosted PHP lure that shows a fake Cloudflare verification page and tricks victims into running a PowerShell command. A multi-stage PowerShell chain performs ETW and AMSI bypasses, then drops a Lua-based in-memory loader which decrypts shellcode to install the RAT. MIMICRAT communicates over HTTPS on port 443 using profiles that mimic web analytics and supports localized lures in 17 languages to widen impact.

🔐 Researchers at KnowBe4 discovered a campaign aimed at North American businesses that tricks employees into entering a “Secure Authorization” code on a legitimate Microsoft 365 login page. Unknown to victims, the code actually authorizes an attacker-controlled device through the OAuth 2.0 Device Authorization Grant, issuing access and refresh tokens that grant persistent access to Outlook, Teams, OneDrive and other services. Recommended mitigations include allowlisting OAuth apps, disabling device-code flow in Entra conditional access where feasible, auditing integrations, and ongoing employee awareness training.

🔍 Group-IB uncovered a sophisticated campaign that impersonated Indonesia’s official Coretax service to distribute malicious Android APKs, causing an estimated $1.5m–$2m in losses nationwide. Attackers combined phishing sites, WhatsApp impersonation and vishing to coerce victims into installing RATs such as Gigabud.RAT and MMRat, enabling remote access and unauthorized banking transfers. The operation produced 996 phishing URLs, 228 new malware samples and used infrastructure that impersonated over 16 trusted brands, suggesting a scalable MaaS model.

🔒 A Nigerian national, Matthew Abiodun Akande, was sentenced to eight years in prison after hacking multiple Massachusetts tax preparation firms and filing over 1,000 fraudulent tax returns seeking more than $8.1 million in refunds. Authorities say he stole clients' Social Security numbers and prior-year tax data by deploying the Warzone RAT masked with a crypter, and used convincing CEO-impersonation phishing messages with a Dropbox link to silently install malware. Akande was arrested in October 2024 at London’s Heathrow Airport, extradited to the U.S. in March 2025, and ordered to pay nearly $1.4 million in restitution plus three years of supervised release.

📞 Threat actors are combining device-code phishing and voice-based social engineering to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Instead of malicious apps, attackers leverage legitimate Microsoft OAuth client IDs and the standard device login workflow so victims unknowingly produce valid tokens and complete MFA. Security researchers suspect the ShinyHunters extortion group is involved; administrators should audit and revoke suspicious consents, disable the device code flow when not needed, and enforce conditional access policies.

⚠️ Abnormal researchers have identified Starkiller, a commercial-grade phishing kit that proxies live login pages to harvest credentials and session tokens. Unlike static HTML clones, Starkiller runs a headless Chrome proxy that serves genuine page content and forwards one-time codes in real time, enabling MFA bypass. Distributed as a subscription on the dark web with updates and Telegram support, it includes real-time session monitoring, a keylogger and deceptive URLs mimicking major providers. Organizations should monitor anomalous login patterns and session token reuse to reduce risk.

🔔 Attackers are abusing Google Tasks notifications to bypass email filters and trick employees into submitting corporate credentials. Recipients receive legitimate-looking @google.com notices urging urgent action and a link to a credential-harvesting form. Organizations should train staff, maintain clear lists of authorized services, and consider mail gateway security and endpoint protection to block phishing sites. Use tools like Kaspersky Automated Security Awareness Platform to automate training.

🔒 Poshmark users face a variety of scams that exploit the platform’s social commerce model and policies. Fraudsters commonly try to move transactions off-platform to avoid the 20% commission, then use phishing links, fake payment confirmations, or malware to steal money and data. Sellers are vulnerable to refund and non-delivery schemes, while buyers risk counterfeit or misrepresented goods. Always keep communications and payments inside Poshmark and verify payments through the app.

🔒 SOCRadar has uncovered a phishing campaign named Operation DoppelBrand that targeted Fortune 500 financial, insurance and technology firms between December 2025 and January 2026. The activity is attributed to financially motivated actor GS7 and relies on lookalike domains and cloned login portals to harvest credentials, which are forwarded to Telegram bots. Successful compromises often result in the deployment of legitimate remote access tools such as LogMeIn Resolve, delivered via MSI installers and supported by VBS loaders for privilege escalation and silent installation.

🚨 Threat actors are abusing Pastebin comments to promote a ClickFix-style social engineering campaign that tricks cryptocurrency users into executing JavaScript in their browser, enabling attackers to hijack Bitcoin swap transactions on Swapzone.io. Victims are directed to copy a javascript: snippet from a hosted paste and execute it in the address bar; the injected, obfuscated payload overrides the exchange's swap logic and replaces deposit addresses with attacker-controlled wallets. The code also tampers with displayed rates and offers to simulate successful arbitrage. Because the script runs within the victim's authenticated session, the interface looks legitimate while funds are irreversibly redirected to attackers.

📬 Cybercriminals are mailing phishing letters impersonating Trezor and Ledger to trick hardware wallet owners into surrendering recovery phrases. The letters pressure recipients with deadlines for an Authentication Check or Transaction Check and instruct them to scan QR codes that lead to cloned setup pages. Those pages prompt entry of 24-, 20- or 12-word seed phrases, which are then sent to attacker-controlled servers, allowing funds to be stolen. Never share your recovery phrase; manufacturers will never ask for it.

🔐 Unit 42 investigates the rising misuse of QR codes for phishing, in‑app deep‑link exploitation, and direct distribution of malicious Android APKs. Their telemetry shows an average of over 11,000 malicious QR-code detections per day, driven by tactics that mask destinations and exploit mobile app behavior. The report highlights QR shorteners, custom deep links, and APK hosting as key evasive techniques and recommends user education plus deployment of decoding and filtering controls such as Advanced URL Filtering and Prisma Browser to improve visibility and block threats.

🔒 South Korea's Personal Information Protection Commission fined Louis Vuitton, Christian Dior Couture, and Tiffany a combined $25 million after cloud-based customer management systems were compromised, exposing data for more than 5.5 million customers. Investigators found an employee device infected with malware at Louis Vuitton and successful phishing and voice-phishing attacks at Dior and Tiffany that granted attackers access to the SaaS platform. Regulators cited failures to enforce IP-based access controls, deploy strong authentication, restrict bulk downloads, and monitor access logs, and penalized late breach notification. The PIPC emphasized that using a SaaS provider does not relieve companies of responsibility for protecting client data.

⚠️ Google Threat Intelligence Group (GTIG) attributes a previously undocumented actor, likely linked to Russian intelligence, to campaigns using CANFAIL against Ukrainian defense, military, government, and energy organizations. The actor has expanded interest to aerospace, defense-adjacent manufacturing, nuclear and chemical research, and humanitarian groups, often impersonating Ukrainian and Romanian energy firms in phishing. Operators used LLMs to produce reconnaissance and social-engineering lures, embedding Google Drive links to RAR archives that deliver obfuscated JavaScript which spawns PowerShell memory-only droppers. GTIG links this activity to the PhantomCaptcha campaign disclosed by SentinelOne SentinelLABS in October 2025.

⚠ Wietze Beukema disclosed four new LNK techniques that can mislead Windows users by showing harmless shortcut targets while executing different programs. He demonstrated how inconsistent fields in the LNK format — including TargetIDList, EnvironmentVariableDataBlock, LinkInfo, and paired ANSI/Unicode values — let attackers spoof visible destinations, hide command-line arguments, and run concealed binaries. These methods can enable phishing, USB-borne attacks, and stealthy initial access and rely on Windows' normal shortcut handling rather than a traditional software bug. Until mitigations or behavior changes are implemented, treat untrusted .LNK files as potentially dangerous.

💌 Technology is changing how people communicate, date, and form attachments. Messaging dialects, emoji usage and generational differences now shape tone and intimacy, but they can also be exploited: attackers can use AI to clone someone’s voice or texting style for social engineering. The article reviews AI companions such as Replika and high‑profile AI weddings, and warns about deepfakes, catfishing, phishing, stalking and sextortion. Practical guidance includes verifying contacts with video calls or reverse image search, using security software, stripping photo metadata, locking down privacy settings, and choosing end‑to‑end encrypted apps with self‑destructing messages for sensitive content.

⚠️ Koi Security found that an abandoned Outlook add-in, AgreeTo, was hijacked to run phishing kits that captured roughly 4,000 Microsoft account credentials. The attacker claimed an orphaned Vercel subdomain referenced in the add-in’s XML manifest and replaced live content with a fake sign-in page while retaining mailbox permissions. Microsoft had validated and signed the original manifest but does not re-review hosted content fetched at runtime. Users should remove AgreeTo and reset affected passwords immediately.

🔒 Kaspersky researchers have identified a surge in scams targeting fans of the Winter Olympics 2026 in Italy. Fraudsters exploit high demand for tickets and merchandise, using phishing sites that clone official vendors and fake online stores to steal payment and personal data. Bogus streaming services lure viewers with “free” or cheap access while requesting credit-card details or redirecting to ads and malware. Users should buy only through official channels, verify URLs, avoid unsolicited links, and deploy a robust security solution such as Kaspersky Premium to block phishing, dangerous sites, and card skimmers.