All news with #phishing tag

🔒 The FBI has seized the domain web3adspanels.org and the backend database used to host thousands of stolen U.S. bank login credentials collected via phishing ads on Google and Bing. Authorities report confirmed financial losses of about $14.6 million and attempted losses near $28 million, affecting at least 19 victims including two companies in the Northern District of Georgia. The seizure, conducted with help from Estonian and other international partners, removed a server that was active as recently as November; no arrests have been announced.

🔐 Small and medium-sized businesses became the primary target of data breaches in 2025, as attackers shifted focus from well-defended large enterprises to higher-volume attacks against smaller organizations. High-profile incidents at Tracelo, PhoneMondo, and SkilloVilla exposed millions of customer records—predominantly names and contact information—raising the risk of follow-on phishing and fraud. To reduce breach risk in 2026, adopt two-factor authentication, enforce the principle of least privilege for access control, and centralize credentials with a secure password manager. These steps are practical, cost-effective, and scalable for SMBs.

⚖️ The U.S. Securities and Exchange Commission has filed charges alleging an elaborate cryptocurrency fraud that stole more than $14 million from retail investors. The complaint names trading platforms Morocoin Tech, Berge Blockchain, and Cirkor and investment clubs that lured victims with fake AI-generated investment tips on WhatsApp. Investors were steered into bogus Security Token Offerings and fake trading platforms that later froze accounts and demanded advance fees. The SEC is seeking injunctions, civil penalties, and repayment with prejudgment interest.

📦Brushing scams involve sellers sending unsolicited, low‑value items to random addresses to create fake purchase histories and post 5‑star reviews. Attackers obtain names and mailing addresses from breaches, people‑search services or public scraping, then use fake buyer accounts to place and rate orders. Parcels can signal compromised data and sometimes include QR codes that lead to phishing or malware. If you receive an unexpected item, check accounts, enable MFA, and report it to the marketplace.

📦 Cybercriminals are exploiting the holiday rush, with NordVPN reporting an 86% month-over-month increase in malicious postal service websites. Fraudsters impersonate carriers such as DHL and USPS, using smishing and phishing links to steal data; DHL spoof sites rose 206% while USPS impersonations jumped 850% in one month. Consumers are urged to avoid unsolicited tracking links, verify tracking numbers on official carrier sites or apps, inspect sender details for altered domains, and report suspicious messages to carriers or the FTC.

🛡️Attackers abused Google Cloud Application Integration to send thousands of malicious emails that appeared to originate from the legitimate address noreply-application-integration@google.com. The messages impersonated routine enterprise notifications—voicemail alerts, file-access and permission requests—raising the chance recipients would click links or disclose credentials. Check Point observed 9,394 phishing emails targeting about 3,200 customers over 14 days.

🔒 Nigerian police arrested three individuals linked to targeted Microsoft 365 phishing attacks delivered via the Raccoon0365 platform, citing intelligence shared by Microsoft and the FBI. Authorities say one suspect, Okitipi Samuel (aka RaccoonO365 or Moses Felix), developed and sold phishing kits on Telegram and hosted pages on Cloudflare using compromised accounts. The toolkit automated fake Microsoft login pages and has been tied to at least 5,000 account compromises across 94 countries; two other detainees currently have no proven role in creating the service.

🔒 Proofpoint links a September 2025 phishing campaign to a suspected Russia-aligned cluster called UNK_AcademicFlare that exploits device code authentication to seize Microsoft 365 accounts. The group leverages compromised government and military email addresses to build rapport and send Cloudflare Worker links that mimic OneDrive, asking victims to copy and enter a short code. When users input the code on Microsoft's device code page, the service issues an access token that attackers can capture to take over accounts.

🔒 Multiple threat actors are exploiting the OAuth device code flow to compromise Microsoft 365 accounts by tricking users into entering device codes on legitimate Microsoft device login pages, which results in victims authorizing attacker-controlled applications and granting persistent access without credential theft or direct MFA bypass. Proofpoint reports a significant volume increase since September and attributes activity to financially motivated groups such as TA2723 and a suspected Russia-aligned actor tracked as UNK_AcademicFlare. The campaigns use phishing kits like SquarePhish and Graphish and employ lures such as salary bonuses and spoofed OneDrive links. Organizations should enforce Microsoft Entra Conditional Access and implement sign-in origin policies to mitigate these attacks.

🔒 Authorities in Nigeria arrested three alleged internet fraud suspects, including the principal developer of the RaccoonO365 phishing-as-a-service toolkit, following a joint investigation with Microsoft and the FBI. Investigators say the suspect operated a Telegram channel selling phishing links for cryptocurrency, hosted fraudulent Cloudflare portals, and used stolen or fraudulently obtained credentials to harvest Microsoft 365 logins. Laptops, mobile devices, and other evidence were seized during searches.

⚠️ Researchers at Gen Digital have identified a social-engineering technique dubbed GhostPairing that lets attackers add themselves as a trusted device to a victim’s WhatsApp account without passwords. By sending a malicious message that prompts the user to verify their phone number, attackers forward the generated pairing code and the user inadvertently approves the session. Once linked, the attacker can read and send messages in real time and propagate the scam to the victim’s contacts. Users should check Linked Devices and enable two-step verification.

🔐 Proofpoint has observed a sharp increase in phishing campaigns that abuse Microsoft's OAuth device code authorization flow to gain access to Microsoft 365 accounts. Attackers use social engineering — QR codes, embedded buttons and hyperlinks — to trick users into entering device codes on Microsoft's legitimate verification page, which yields valid access tokens. Readily available tools such as SquarePhish2 and Graphish have lowered the bar for both state-aligned and financially motivated actors.

🔔 This week's ThreatsDay Bulletin highlights a rapid reshaping of old tools and fresh abuse of familiar systems across fraud, malware, and infrastructure. Notable incidents include a cross-border scam ring dismantled in Ukraine that defrauded hundreds for over €10 million, the modular SantaStealer infostealer sold as malware-as-a-service, and a WhatsApp device-linking hijack dubbed GhostPairing. Security teams should verify linked sessions, reduce exposed management endpoints, and prioritize timely patching and credential hygiene.

🛡️ HMRC has received over 135,500 scam reports since February 2025, including about 4,800 tied to its Self Assessment system, and warns scams will rise ahead of the January 31, 2026 filing deadline. Fraudsters impersonate HMRC via phone, email and text to pressure victims into paying fake bills, disclosing personal data or installing malware. HMRC says it shut 25,000 phishing sites and numbers in the last 10 months and urges people to protect, recognize and report suspicious contacts to phishing@hmrc.gov.uk.

📱 ENKI links the North Korean actor Kimsuky to a campaign delivering a new Android remote-access trojan dubbed DocSwap via QR codes on phishing sites impersonating CJ Logistics. Victims are lured by smishing or phishing to scan a QR that prompts installation of a malicious "SecDelivery.apk," which decrypts and loads an embedded payload and requests broad permissions. The app mimics OTP authentication to reassure users while launching a background service that connects to attacker infrastructure and exposes capabilities including keystroke logging, audio and camera capture, and data exfiltration.

🔒 Threat actors are abusing WhatsApp's legitimate device-linking feature in a campaign named GhostPairing, tricking victims into entering pairing codes on fake verification pages. Once a code is submitted, attackers gain full access to conversations and shared media and can send messages as the victim to propagate the lure. Users should check Settings → Linked Devices for unauthorized sessions, block and report suspicious messages, and enable two-factor authentication.

🔒 Recorded Future's Insikt Group observed APT28 conducting a sustained credential-phishing campaign targeting users of UKR.net between June 2024 and April 2025. The actor, tracked as APT28 or BlueDelta and assessed as affiliated with the GRU, used UKR.net-themed login pages hosted on legitimate services like Mocky and chained redirects from link shorteners and Blogger subdomains to capture passwords and 2FA codes. Phishing emails delivered PDFs that directed recipients to these pages, and the group has moved from abusing compromised routers to leveraging proxy tunneling services such as ngrok and Serveo.

📚 Kaspersky reported a targeted phishing campaign linked to Operation ForumTroll observed in October 2025 that impersonated the Russian eLibrary service. Attackers used a long-aged bogus domain to send personalized emails with one-time links to ZIP archives named for each victim, which contained a .LNK that runs a PowerShell downloader. The chain fetches a staged payload that loads a final DLL, persists via COM hijacking, deploys the Tuoni C2 framework for remote access, and shows a decoy PDF to victims.

📧 Kaspersky researchers have uncovered a targeted campaign by the ForumTroll APT that lures political scientists with personalized plagiarism-check links impersonating the eLibrary service. The downloaded archive contained a malicious .lnk and a .Thumbs directory with images used to evade security; filenames included each victim’s full name. When executed on Windows the .lnk ran a PowerShell chain that installed the commercial red-team framework Tuoni, used COM hijacking for persistence, and displayed a decoy PDF named for the target. Kaspersky reports detections and recommends endpoint and mail-gateway protections to stop similar email-delivered threats.

⚠️ Deutsche Telekom has introduced Call Check, an automated warning feature that flags incoming calls listed in a database as suspicious or fraudulent. When a call from a domestic or foreign number is identified, the recipient's smartphone displays a Caution, possible fraud! message to warn the user. The system is applied automatically to customers on the Telekom network and joins similar protections already deployed by competitors such as Vodafone, while O2 has yet to implement an equivalent service.