All news with #phishing tag

🛡️Microsoft Defender identified a ClickFix evolution dubbed CrashFix that intentionally crashes victims' browsers and lures users into executing malicious commands. The campaign uses a trojanized Chrome extension impersonating uBlock Origin Lite, delays malicious activity, and reports installation UUIDs to a typosquatted domain to evade attribution. Operators abuse native utilities by copying and renaming finger.exe to ct.exe to retrieve obfuscated PowerShell which drops a portable WinPython package and a Python RAT (ModeloRAT) that establishes persistence and C2 beacons.

🔍 Attackers abused legitimate SaaS platforms to generate and distribute authentic-looking, phone-based scam lures by misusing native platform functionality. Rather than compromising services or spoofing domains, the campaign leveraged the trust and authentication posture of vendors to send approximately 133,260 phishing emails, impacting 20,049 organizations. This approach increased delivery success and made detection far more difficult for defenders.

📧 A fresh global spam wave is again exploiting unsecured Zendesk support portals to send automated 'Activate account' and other confirmation emails to large numbers of recipients. Messages appear to originate from legitimate company Zendesk instances and arrive in rapid bursts, sometimes hundreds per inbox, bypassing conventional filters. The activity mirrors a January campaign and suggests exposed ticket forms remain vulnerable.

📨 Cofense reports that security filters caught a phishing email every 19 seconds in 2025 — more than double the 2024 rate of one every 42 seconds — as AI enables faster, larger-scale campaigns. The vendor's report, The New Era of Phishing: Threats Built in the Age of AI, warns that actors now use AI to generate highly personalized, polymorphic and multi-channel phishing that adapts per victim. It also highlights a 105% rise in remote access tool detections, a 19-fold spike in abuse of .es domains, and a 204% increase in email-delivered malware, urging post-delivery behavioral analysis and human validation.

🔒 OfferUp users face a range of scams — from counterfeit goods and overpayment ruses to account takeovers, phishing links and empty-box deliveries. The platform provides 48-hour Purchase Protection for qualified on-app purchases but excludes off‑app and cash transactions. Follow advised safeguards: stay in-app, avoid third-party payments, meet at Community Meetup Spots and protect verification codes and personal data.

🧠 Unit 42 examines why phishing remains effective despite advanced defenses, highlighting the role of human psychology, cognitive bias and AI-enabled deception. The article outlines a three-stage attack model—The Bait, The Hook and The Catch—and common social engineering tactics such as urgency, authority and distraction. It urges a zero-trust mindset, continuous education and a simple habit: pause and verify before acting.

🔒Forcepoint X-Labs has warned of a multi-stage phishing campaign that uses short, business-themed emails and PDF attachments to harvest corporate Dropbox credentials. The PDFs contain embedded AcroForm links that limit scanning by security tools and redirect victims to a legitimate cloud-hosted portal serving a spoofed login page. By leveraging reputable cloud infrastructure, the attackers reduce suspicion and bypass many automated reputation checks. Submitted credentials are exfiltrated to a Telegram channel, enabling account takeover and follow-on abuse.

📄 Forcepoint researchers describe a multi-stage phishing campaign that uses attached PDFs to redirect victims through cloud-hosted content to a fake Dropbox sign-in page. Attackers exploit spoofed or compromised senders and trusted services to bypass filters and authentication checks like SPF, DKIM, and DMARC. If credentials are entered they’re exfiltrated to attacker-controlled infrastructure for account takeover and fraud. The campaign succeeds because each step appears legitimate in isolation, exploiting habitual trust in PDFs and mainstream cloud services.

🔍 CTM360 reports a global uptick in fraudulent High‑Yield Investment Programs (HYIPs) that promise implausible, guaranteed returns. Their WebHunt telemetry identified 4,200+ HYIP sites and 485+ incidents in December 2025, showing persistent, scalable activity. Two dominant variants — crypto trading and forex/stock trading facades — use polished interfaces, fake performance and recycled templates. Scams spread via paid social ads, Telegram, WhatsApp and referral schemes; many sites use fake licenses and KYC delays to freeze withdrawals before vanishing.

⚠️ Cybercriminals commonly exploit major sporting events like the Milano‑Cortina 2026 Winter Olympics, using phishing, fake ticketing and streaming sites, rogue apps, SEO poisoning, QR-code scams and AI-driven deepfakes to steal data or money. Fans should purchase only from official ticket and merchandise channels, use the official Olympics app, and avoid pirated streams and unsolicited offers. Protect devices with reputable anti‑malware, avoid public Wi‑Fi or use a VPN, and be cautious with links, QR codes and marketplace listings.

⚠️ Over recent months a global scam campaign has bombarded users with fraudulent cloud-storage renewal notices claiming payment failures and imminent deletion of photos and backups. The emails use auto-generated sender domains and links hosted on Google Cloud Storage that redirect to phishing pages impersonating cloud portals. Those pages run fake storage scans, promote unrelated affiliate products, and lead to checkout forms that collect credit card details. Delete these messages and verify billing only through official apps or websites.

🛡️ January brought several high-impact incidents that underline persistent enterprise risks. ServiceNow patched a critical AI-driven vulnerability (CVE-2025-12420) that could let unauthenticated actors impersonate admins on its AI platform. Unsecured Zendesk systems were abused for a large spam campaign, while the World Economic Forum reports cyber-fraud has overtaken ransomware as CEOs' top worry. Nike is also probing an alleged theft of 1.4 TB of data.

⚠️ NatWest and the UK's National Crime Agency (NCA) have launched a joint awareness campaign to highlight rising invoice fraud affecting businesses, including BEC and payment redirection. The initiative warns that fraudsters impersonate suppliers, intercept emails and pressure victims into urgent payments that are then diverted. Guidance urges businesses to Check, Verify, Never transfer funds until payment details are independently confirmed. The campaign also stresses that Accounts Payable and Finance teams are frequent targets of these schemes.

📰 Hazel Burton opens this Threat Source newsletter by acknowledging how difficult it can be to stay engaged with the news and suggests small, human respites—like the U.K. show Taskmaster—to remind readers creativity and levity persist under pressure. On the technical side, Cisco Talos Incident Response’s Q4 2025 report shows exploitation of public-facing applications remains the leading initial access vector (down from 62% to ~40%), while phishing and credential harvesting rose and ransomware incidents fell to 13% with Qilin still common. The newsletter urges rapid patching, correct MFA configuration and monitoring, and comprehensive logging to detect suspicious activity.

📞 Microsoft will add a Report a Call feature in Teams that lets users flag suspicious or unwanted one-to-one calls as potential scams or phishing. The option appears in call history on Windows, Mac and the web and is enabled by default; administrators can disable it in the Teams Admin Center under Calling settings. Limited metadata — timestamps, duration, caller ID and participant Teams IDs — is shared with the organization and Microsoft, and reports are viewable in the Microsoft Defender portal or Teams Admin Center. Targeted Release begins mid-March, with worldwide general availability planned by late April.

🚨 Hungarian and Romanian police arrested four young men accused of orchestrating Discord-based SWATting and doxing campaigns that triggered hoax bomb threats and endangered targeted individuals. Law enforcement released video of coordinated raids in which computers, phones and other digital evidence were seized as investigators traced anonymous calls to spoofed numbers. Suspects, aged 16 to 20, face investigations and charges including misuse of personal data and public endangerment; authorities stress these actions are serious crimes with potentially life‑threatening consequences.

🔒 Researchers at Unit 42 demonstrated how attackers can convert benign webpages into bespoke phishing pages by calling LLMs from client-side code to generate malicious JavaScript in real time. This polymorphic technique assembles malware inside the victim’s browser, leaving no static payload and evading many traditional network and signature controls. Defenders are advised to prioritize message-layer protections, secure web gateways, and secure enterprise browsers to block the initial lure and the last mile reassembling of malicious code.

🔒 Blackpoint researchers describe a campaign that chains ClickFix-style fake CAPTCHA prompts with a signed Microsoft App-V script to proxy PowerShell and deliver the Amatera information stealer. Victims are tricked into pasting a command into the Windows Run dialog that abuses SyncAppvPublishingServer.vbs to load an in-memory loader, which pulls configuration from a public Google Calendar and retrieves a PNG containing an encrypted PowerShell payload. The attack targets systems with App-V enabled (Enterprise/Education), relies on manual user interaction, and uses living-off-the-land techniques and trusted services to frustrate detection and automated analysis.

📧 Inboxes can be overwhelmed by spam and scams for many reasons, from large-scale data breaches and web scraping to updated scam kits and AI-assisted phishing that evade filters. Attackers use these feeds to deliver malspam, impersonate trusted brands, or bury critical alerts through email bombing. Reduce exposure by keeping profiles private, using email-masking services, avoiding replies or unsubscribe links, and deploying reputable security software with layered anti-phishing and anti-spam protections.

⚠️Researchers at Varonis warn of a new malware‑as‑a‑service named Stanley that sells malicious browser extensions engineered to pass review and appear on the Chrome Web Store. The extensions overlay a full‑screen iframe with attacker-controlled phishing content while leaving the address bar intact, and claim silent auto‑installation on Chromium browsers. Stanley offers subscription tiers, including a Luxe Plan that assists with publishing extensions, and provides operator controls for targeting, notifications, and session correlation.