All news with #phishing tag

🧾 Cybersecurity researchers uncovered a phishing campaign impersonating India's Income Tax Department that delivers a multi-stage backdoor to targeted users. The attackers distribute a ZIP containing an executable that sideloads a malicious DLL, performs anti-analysis checks, and fetches further payloads, ultimately deploying a Blackmoon variant alongside a repurposed SyncFuture TSM RMM tool. The operation employs UAC bypass, process masquerading, antivirus exclusion manipulation, and numerous helper scripts to establish persistent, covert access for long-term monitoring and data exfiltration.

🔎 Security researchers at Fortra’s Intelligence and Research Experts (FIRE) uncovered a Telegram and WhatsApp marketplace called HaxorSEO offering over 1,000 backlinks on pre-compromised, legitimate domains. Operators install webshells and inject backlinks that point to phishing or malware sites, advertising SEO metrics like PA, DA and DR to sell effectiveness. Listings cost as little as $6 each and can help fraudulent pages outrank genuine services. Users are advised to bookmark sensitive login pages and verify domains before entering credentials.

⚠️ 1Password has added a browser pop-up that warns users when a visited URL appears to be a phishing or typosquatted site, aiming to prevent manual credential entry on deceptive pages. The feature will be enabled automatically for individual and family plans, while enterprise admins can turn it on via Authentication Policies in the admin console. 1Password cites rising AI-assisted phishing and internal survey data on click-through and credential reuse as motivating factors.

🔔 1Password has added an in-product pop-up that warns users when a visited URL looks like a potential phishing or typosquatted site, aiming to prevent manual credential entry. The feature is enabled by default for individual and family plan users; admins can activate it for employees via Authentication Policies. 1Password says the alerts are intended to make users pause and inspect URLs more closely, addressing cases where autofill protections alone are insufficient.

🔒 Fortinet researchers detailed a multi-stage phishing campaign targeting Russian organizations that delivers the Amnesia RAT and Hakuna Matata ransomware. Attackers use business-themed decoy documents and malicious LNK files that fetch staged PowerShell loaders from GitHub while binary payloads are hosted on Dropbox. The chain abuses defendnot to disable Microsoft Defender, leverages Telegram bots for telemetry and exfiltration, and assembles payloads in memory to minimize disk artifacts. Targeted recipients include HR and payroll staff, enabling credential theft, surveillance, and destructive encryption.

🔐 Cyber security should begin in childhood, not only as a late-stage workforce specialization. The piece argues that threat actors target schools, hospitals, municipalities and small businesses as aggressively as large enterprises, and that waiting for workforce pipelines to mature leaves communities exposed. Early, practical education—covering ransomware awareness, phishing resistance, hands-on skills and teacher training—reduces immediate risk and strengthens future talent pools.

🔒 Cybersecurity researchers describe a two-wave phishing campaign that uses fake Greenvelope invitations to harvest Microsoft Outlook, Yahoo! and AOL credentials, then leverages those stolen logins to register and deploy legitimate LogMeIn RMM tools. Attackers deliver a signed executable, GreenVelopeCard.exe, containing a JSON configuration that silently installs LogMeIn Resolve and connects to an attacker-controlled URL. The RMM is configured for persistent, elevated access and hidden scheduled tasks to ensure survival and ongoing remote control.

🔒 Microsoft warns of a multi-stage adversary-in-the-middle (AitM) phishing and BEC campaign targeting the energy sector. The attackers abused SharePoint file-sharing and legitimate trusted addresses (a living-off-trusted-sites, LOTS, technique) to deliver credential-harvesting links, then used stolen session cookies and inbox rules to persist and hide activity. Microsoft says simple password resets are insufficient; organizations must revoke sessions, remove malicious rules, and enforce phishing-resistant controls.

🔔 Microsoft is introducing Brand Impersonation Protection for Teams Calling, rolling out to the targeted release ring in mid‑February and enabled by default. The feature inspects incoming VoIP calls from first‑time external contacts for signs of brand impersonation and displays high‑risk call warnings before suspicious calls are answered. Users can accept, block, or end flagged calls, and alerts may persist during a conversation if suspicious signals continue. IT teams are advised to update support materials and brief helpdesks ahead of the rollout.

🔒 LastPass has warned users of an ongoing phishing campaign that began on January 19 and attempts to harvest master passwords by directing recipients to a fake LastPass login page. The fraudulent emails pressure users with a 24-hour "backup your vault" deadline to increase clicks. If credentials are entered, attackers can access the vault and any stored account logins. LastPass is working with partners to take down malicious domains and reiterated it will never request a master password.

🐞 Check Point Research is tracking an active phishing campaign by KONNI, a North Korea–linked actor that has shifted from geopolitical targets to software developers and engineering teams. The campaign specifically targets blockchain and cryptocurrency projects and uses lures crafted to resemble legitimate project documentation. Attackers deliver malicious attachments and payloads intended to compromise developer credentials and infrastructure, and the activity displays expanded geographic reach and sophisticated social-engineering techniques.

📧 Attackers abused Microsoft Teams functionality to distribute phishing content that appears to come from legitimate services. They created guest invitations and finance-themed team names that mimic billing and subscription notices, prompting recipients to contact a fraudulent support phone number. The campaign sent 12,866 phishing messages (about 990 per day) and targeted 6,135 users. Recipients were encouraged to call attackers posing as support to resolve fake payment issues.

⚠️ Unit 42 details a technique where seemingly benign webpages call trusted LLM APIs from the browser to generate malicious JavaScript dynamically and execute it at runtime. Carefully engineered prompts can bypass model safety guardrails and return credential-harvesting code that assembles in-browser into personalized phishing pages. Because payloads are served via trusted domains and differ per visit, this approach defeats many static and network-based detectors, making runtime behavioral analysis the most effective mitigation.

🔒 Apple Pay's convenience has made it a target for social-engineering scams; attackers generally manipulate users rather than exploit the platform's tokenization or biometric defenses. The article outlines common schemes — phishing/smishing, marketplace and overpayment/refund frauds, fake receipts, unsolicited payments, and evil‑twin Wi‑Fi — and highlights red flags like requests for 2FA codes. Recommended defenses include enabling Stolen Device Protection, turning on card notifications, using chargeback-eligible cards, and employing a VPN on public networks.

📧 Attackers abused unverified ticket submission on Zendesk to trigger automated confirmation emails to thousands of addresses worldwide, producing a massive spam wave that began on January 18. The messages — often bizarre, alarming, or rendered with decorative Unicode — originated from legitimate company support systems, allowing them to bypass spam filters. Affected vendors such as Discord, Tinder, and Dropbox confirmed the incident and advised recipients to ignore the emails while platforms implement mitigations.

🤖 Researchers at Doctor Web discovered an Android click‑fraud trojan family that leverages TensorFlow.js to visually detect and interact with advertisement elements inside a hidden WebView. In a 'phantom' mode the malware renders a virtual screen, captures screenshots, and feeds them to an ML model to identify and tap the correct UI element, avoiding DOM-based click routines. A separate 'signalling' mode streams the virtual browser to attackers via WebRTC, permitting real-time tapping, scrolling, and text entry. Infected apps were distributed through Xiaomi's GetApps, third‑party APK sites, and messaging channels.

⚠️ LastPass is warning of a phishing campaign that impersonates maintenance notices and urges users to back up their vaults within 24 hours. The messages contain a 'Create Backup Now' button that redirects to a fraudulent site purporting to build an encrypted local backup, where attackers likely try to capture master passwords or hijack accounts. LastPass confirmed it will never ask for master passwords and advised recipients to report suspicious messages to abuse@lastpass.com. The company said the campaign began on January 19 and was timed to exploit a U.S. holiday weekend.

🔒 Palo Alto Networks' assessment identifies phishing and spoofed websites as the primary initial access vectors for the Milano-Cortina 2026 Winter Games. Researchers highlight business email compromise (BEC) as central to these campaigns, noting 76% of observed phishing relied on BEC to exploit trust among staff, partners and suppliers. The report warns that ransomware groups, nation-state actors and hacktivists will target ticketing, payment systems and APIs, and it advises basic vigilance, supplier vetting and reputable purchasing to reduce consumer risk.

🔒 A large-scale phishing campaign in Peru has used polished fake loan applications to collect valid card numbers, online banking passwords and 6-digit PINs, according to Group-IB. Active since 2024, the operation leverages targeted social media ads and roughly 370 domains, including 16 impersonating a major Peruvian bank. The flow deliberately breaks facial verification so victims are steered toward card entry, and card numbers are filtered with the Luhn check to ensure usability. Group-IB urges stronger customer education, multi-factor authentication and cross-industry intelligence sharing to counter the threat.

🔒 A convincing, routine text claiming an unpaid toll demonstrates how even cautious people can fall for phishing. A well-known security expert admitted to repeatedly failing internal simulations, showing that distraction, emotional context, and timing defeat training. Flare's analysis of 8,627 underground conversations describes a mature phishing economy — PhaaS platforms, AI tools like PhishGPT, turnkey kits, and resilient infrastructure. The practical lesson: build habits, add friction, and pause before you click.