All news with #phishing tag

🔔 LastPass is warning users about an active phishing campaign observed from around January 19, 2026, that impersonates the service and urges users to create local backups within 24 hours to harvest master passwords. The messages route recipients through a staged AWS S3 URL that then redirects to a fraudulent domain (mail-lastpass[.]com) and originate from several spoofed support addresses. LastPass said it will never ask for master passwords and is working with partners to take down the malicious infrastructure while urging users to report suspicious messages.

📩 ReliaQuest researchers uncovered a LinkedIn-based phishing campaign that delivers weaponized WinRAR self-extracting archives to targets. The archive extracts four components: a legitimate open-source PDF reader, a malicious DLL used for DLL sideloading, a portable Python interpreter PE, and a decoy RAR. When the PDF reader is run the rogue DLL is sideloaded, drops the Python interpreter, creates a Windows Run registry key, and executes Base64-encoded open-source shellcode in memory to deploy a remote access trojan. The campaign leverages social media DMs and legitimate tools to evade detection and maintain persistent access.

🔒 Researchers at ReliaQuest uncovered a LinkedIn-based phishing campaign that delivers a Remote Access Trojan by abusing legitimate software. Attackers send role-tailored messages containing a WinRAR self-extracting archive that unpacks a legitimate open-source PDF reader alongside a malicious DLL that uses DLL sideloading. The campaign leverages a real penetration-testing tool to establish persistence, enabling data exfiltration and lateral movement.

🔒 Brand impersonation—fake websites, domains, emails, ads, and social pages—is an increasingly common tactic used to harvest credentials, steal payments, distribute malware, and defraud customers and partners. Attackers exploit lookalike domains, SEO and paid ads, and phishing messages to lure victims; even imperfect forgeries can inflict financial, operational, and reputational harm. Organisations should monitor clones, maintain a visible trust centre, pursue rapid takedowns, block malicious domains internally, and coordinate legal, IT, and communications teams for fast response.

⚠ Security researchers uncovered five malicious Chrome extensions that impersonate HR and ERP platforms, including Workday and NetSuite, to harvest authentication tokens and facilitate session takeovers. The add-ons exfiltrate cookies to attacker-controlled APIs, manipulate DOM content to block administrative pages, and can inject stolen cookies to hijack sessions. Most were removed from the Chrome Web Store but remain available on third-party download sites; affected users should remove the extensions, reset credentials, and audit for unauthorized access.

🔐 eSentire's 2025 Year in Review (published 15 Jan 2026) documents a 389% year‑over‑year surge in account compromises, which accounted for 55% of observed attacks. Credential access comprised 75% of malicious activity, with Microsoft 365 accounts heavily targeted and two‑thirds of compromises used for account takeovers. Phishing‑as‑a‑service (PhaaS) kits — including Tycoon2FA, FlowerStorm and EvilProxy — fueled many Business Email Compromise operations, while malware represented 25% of threats, down slightly from 2024.

🔒 In Q4 2025, Check Point Research found Microsoft to be the most impersonated brand in phishing campaigns, responsible for 22% of branded phishing attempts. Google followed with 13%, while Amazon rose to 9%, driven by Black Friday and holiday sales, displacing Apple. After a lengthy absence, Facebook (Meta) reappeared in the top ten at fifth, underscoring renewed interest in social media account takeover. The pattern reflects a multi-quarter trend of attackers abusing trusted enterprise and consumer brands to harvest credentials and gain initial access.

🔒 Microsoft says it disrupted RedVDS, a cybercrime-as-a-service platform tied to at least $40 million in U.S. losses since March 2025. The company filed civil lawsuits in the U.S. and U.K., and — working with Europol and German authorities — seized servers, took the marketplace and customer portal offline, and removed malicious infrastructure. RedVDS rented disposable Windows cloud servers worldwide to enable large-scale phishing, BEC, credential theft and AI‑enhanced impersonation campaigns.

🛡️ Microsoft announced on 14 January that it has seized the infrastructure and website of RedVDS, a subscription-based cybercrime platform that rented disposable virtual machines and AI tools to facilitate phishing, business email compromise (BEC) and fraud. The service, available from about $24/month, has been linked to more than $40 million in losses in the US and nearly 190,000 victimised organisations worldwide. Legal partners in the US and the UK, with international law enforcement support, coordinated the takedown.

📧 CyberProof documented a wave of phishing-led intrusions where attackers used fake PayPal alerts to trick victims into installing legitimate remote access software. The campaign targeted both personal and corporate accounts and represents a shift from seasonal lures to high-urgency financial themes. Attackers initially deployed LogMeIn Rescue then pivoted to AnyDesk to maintain access while avoiding EDR detection. Recommended mitigations include tighter phishing controls, restricting RMM ports and adopting a zero-trust posture.

📌 Microsoft Threat Intelligence exposed RedVDS, a criminal VDS marketplace that sold inexpensive, unlicensed Windows RDP servers enabling widespread BEC, mass phishing, account takeover, and financial fraud. The service repeatedly cloned a single Windows Server 2022 image (host name WIN-BUNS25TD77J), producing consistent fingerprints defenders could detect. RedVDS tenants deployed mass-mailer tools, harvesters, remote access utilities and AI writing assistants to craft and scale phishing campaigns. In coordination with law enforcement, Microsoft disrupted the infrastructure and published detection and mitigation guidance including Defender XDR telemetry and recommended email and identity controls.

🔒Push Security discovered ConsentFix in December — a browser-native OAuth phishing technique that tricks victims into pasting a legitimate Microsoft authorization URL so attackers can exchange the code and hijack accounts. The campaign targeted pre-consented first-party Microsoft apps and legacy scopes to evade default logging and Conditional Access controls. Push and the security community have published hunting guidance and mitigations focused on logging, access restrictions, and browser-based detection.

🛡️ FortiGuard Labs uncovered a phishing campaign that delivers a fileless Remcos RAT via a malicious Word document which loads a remote RTF exploiting CVE-2017-11882. The exploit executes shellcode to fetch a VBScript that launches a Base64 PowerShell loader. That PowerShell downloads an image with an embedded .NET module, which the loader runs in memory to install persistence and inject the Remcos payload into a legitimate process using process hollowing.

⚠️ Scammers are targeting LinkedIn with fake comment replies that impersonate the platform and falsely warn users of policy violations or temporary account restrictions. The malicious replies sometimes use LinkedIn’s lnkd.in shortener or obscure .app domains to hide phishing destinations and present convincing link previews. Victims who click are directed to credential-harvesting pages that request identity verification. LinkedIn says it is aware and is taking action; members should report suspicious comments.

🔒 Cybercriminals are increasingly using browser-in-the-browser (BitB) attacks to harvest Facebook credentials, researchers at Trellix report. Attackers distribute phishing emails with spoofed, shortened links and present a fake in-browser pop-up that mimics the Facebook login — even hardcoding the real Facebook URL and displaying a bogus CAPTCHA to boost credibility. Victims are prompted for personal details and then asked to confirm their password; enabling two-factor authentication and avoiding embedded links can mitigate these scams.

🔐 Attackers in 2025 are not inventing wholly new techniques but refining long‑standing ones—supply‑chain compromise, credential theft, and malware in official stores—at vastly greater scale. AI has lowered the barrier to entry, enabling small teams or individuals to publish trusted packages, automate phishing, and pivot them to malicious behavior. Gaps in permission models and slow supply‑chain mitigation let these campaigns cascade through dependencies. Defenders should prioritize fundamentals: fix permissions, harden verification, and make phishing‑resistant authentication the default.

🔐 Over the past six months, threat actors have increasingly used the Browser-in-the-Browser (BitB) technique to harvest Facebook credentials, according to Trellix. Attacks display realistic fake login pop-ups implemented with iframes and often leverage URL shorteners and reputable cloud hosts like Netlify and Vercel to evade detection. Campaigns impersonate law firms, copyright notices, and Meta security alerts, adding counterfeit CAPTCHA pages to increase legitimacy. To reduce risk, avoid embedded links, enable two-factor authentication, and verify whether login windows can be dragged outside the browser to detect BitB.

🔒 Kaspersky researchers have detected a new wave of malicious emails targeting Russian private-sector organizations that aim to deploy an infostealer. The attackers use executable files disguised as PDFs (examples include "УВЕДОМЛЕНИЕ о возбуждении исполнительного производства" and "Дополнительные выплаты") which launch a .NET downloader. That downloader fetches a secondary loader that installs as NetworkDiagnostic.exe and creates a persistent Network Diagnostic Service, pulling encrypted payloads from a command-and-control server hosted on a lookalike domain (gossuslugi.com). The final payload collects system details, screenshots and document files and exfiltrates data to a separate server; Kaspersky recommends using reliable endpoint security and corporate email-gateway protections to block such threats.

🔒Phishing and broader cyber-enabled fraud have overtaken ransomware as the primary concern for business leaders, according to the World Economic Forum’s Global Cybersecurity Outlook for 2026. The WEF report, produced with Accenture and released on 12 January ahead of Davos, found 77% of surveyed executives reported increases in fraud and phishing, with 62% aware of phishing incidents in their networks. The review also highlights accelerating AI-driven vulnerabilities — 87% reported rising AI-related risks and 94% expect AI to shape cybersecurity in 2026.

🔍 Cybersecurity researchers have identified service providers that supply tools, infrastructure, and turnkey platforms to scale pig butchering (PBaaS) operations across Southeast Asia. Vendors such as Penguin Account Store and UWORK offer stolen identities, pre-registered accounts, SIMs, CRM panels, mobile apps, and payment processors, enabling mass victimization and rapid fund movement. These offerings dramatically lower technical barriers and empower fraud operations tied to human-trafficking-enabled scam compounds.