All news with #phishing tag

🔒 Kaspersky describes a phishing campaign that abuses Telegram Mini Apps to harvest credentials by promising free NFT-style 'gifts' and airdrops. Attackers embed convincing fake Mini Apps inside the official Telegram client, exploiting users' trust in in-app content and minimal platform vetting. Kaspersky urges users to verify sources, avoid entering login codes inside Mini Apps, enable two-step verification and passkeys, and store credentials in a password manager.

⚠️ Check Point reports a surge in Christmas-themed phishing and social scams, detecting 33,500 unique phishing emails and over 10,000 seasonal social ads in a recent two-week period. Threat actors are using AI to produce flawless local-language messages, build fake e-commerce sites with working checkouts, and generate deepfake audio and smishing that mimic delivery alerts. Consumers should watch for spoofed URLs, unusual payment requests, new or inactive accounts and emotional triggers, and avoid clicking unsolicited links or sharing credentials.

📧 Seqrite Labs has uncovered a Russian-origin phishing campaign, tracked as Operation MoneyMount-ISO, that delivers the Phantom information stealer through a multi-stage attachment chain. Attackers distribute a ZIP containing an ISO that auto-mounts and displays a disguised executable; running it triggers a loader that decrypts a malicious DLL and injects the stealer into memory while performing extensive anti-analysis checks. The campaign targets Russian-speaking finance, procurement and HR roles, harvesting passwords, cookies, crypto wallets, keystrokes and Discord tokens, then exfiltrating data via Telegram bots, Discord webhooks and FTP.

🔒2025 saw substantial attacker innovation in phishing, with identity-focused techniques becoming more effective and pervasive. Phishing moved beyond email into omni-channel vectors such as LinkedIn DMs, malicious search results, compromised sites and malvertising, which evade traditional email defenses. Criminal PhaaS kits (Tycoon, Sneaky2FA, Evilginx variants and others) commoditized AiTM and MFA-bypass capabilities. Security teams are urged to expand detection into the browser and close visibility gaps with browser-based response.

🎄 AI and automation are enabling more sophisticated holiday scams in 2025, making fraudulent emails, fake retail sites, and social media giveaways harder to detect. Check Point researchers flagged over 33,500 Christmas-themed phishing emails and more than 10,000 suspicious holiday ads within a 14-day window, underscoring a global surge. Practical guidance emphasizes recognizing red flags, validating sellers, and using multi-factor authentication and updated security tools to protect holiday shoppers.

🛡️ Cybersecurity researchers have disclosed Operation MoneyMount-ISO, a phishing campaign that delivers Phantom Stealer via malicious ISO images attached inside ZIP archives targeting Russian finance, accounting, procurement, legal and payroll teams. The ISO, labeled as a bank transfer confirmation, mounts as a virtual CD and executes an embedded DLL named CreativeAI.dll to launch the stealer. Phantom harvests browser-stored crypto wallets, Discord tokens, passwords, cookies, credit cards, and can log keystrokes and monitor the clipboard. Stolen data is exfiltrated over Telegram, Discord webhooks or FTP.

⚠️ BleepingComputer warns that attackers are abusing PayPal's Subscriptions feature to send legitimate-looking emails from service@paypal.com that include fake purchase notifications embedded in the Customer Service URL field. The messages pass DKIM/SPF and originate from PayPal mail servers, but include manipulated metadata or API-supplied text and obfuscated Unicode to evade filters. Recipients are advised to ignore the phone number in such emails and verify charges directly in their PayPal account.

🔒Four newly documented phishing kits — BlackForce, GhostFrame, InboxPrime AI, and Spiderman — enable large-scale credential theft and advanced MFA bypass techniques. BlackForce (first seen August 2025) uses Man‑in‑the‑Browser (MitB) capabilities to capture OTPs and exfiltrate data to Telegram/C2 panels, while GhostFrame hides phishing pages inside iframes. InboxPrime AI automates high-quality mass mailings with generative assistance, and Spiderman offers full-stack banking replicas with ISP and geofence filtering. Researchers warn these kits lower the bar for attackers and recommend layered defenses including phishing-resistant MFA, strong email validation, anomaly detection, and user training.

🔒 Kaspersky examines the lifecycle of personal data stolen through phishing, showing how information is harvested, traded, verified and repeatedly reused across the shadow market. Stolen records are collected via forms and transmitted by email, Telegram bots or specialized admin panels before being bundled into bulk dumps, analyzed and resold. The report highlights targeted categories, average resale values for different account types and practical protections such as using 2FA, passkeys and a password manager, plus immediate steps to take if your data has been exposed.

🕷️Spiderman is a newly observed phishing kit that replicates banking and cryptocurrency login flows to capture credentials, 2FA codes, credit card details, and wallet seed phrases. Researchers at Varonis report it targets customers across five European countries and major brands including Deutsche Bank, ING, CaixaBank, PayPal, and crypto wallets such as Ledger and Metamask. The kit’s modular control panel lets operators filter victims by country or device, intercept PhotoTAN and OTP codes in real time, export harvested data with one click, and redirect non-targeted visitors.

📧Attackers impersonating file-sharing and e-signature platforms sent over 40,000 finance-themed phishing emails, researchers at Check Point report. These messages mimicked notifications from services like SharePoint and popular e-signing vendors to coax recipients into clicking links or entering credentials. The campaign targeted finance workflows and aimed to harvest credentials or deliver follow-on malware, underscoring the need for robust email security and user vigilance.

🔍 SpyCloud reported a 400% year‑over‑year increase in successfully phished identities, finding nearly 40% of more than 28 million recaptured phish records contained business email addresses—about three times the rate observed in recaptured malware. The company warns phishing has become the preferred gateway into enterprise environments and is fueling follow‑on attacks such as ransomware. SpyCloud urges organizations to adopt real‑time visibility and automated post‑compromise remediation across both personal and professional identities.

🚨 China-based phishing-as-a-service groups have deployed thousands of mobile-targeted scam domains using SMS (iMessage/RCS) lures that promise rewards points, tax refunds or bargains to harvest payment data. Sites collect name, address and card details, then request a one-time code — which fraudsters use to enroll stolen cards in Apple or Google mobile wallets. These fake e-commerce shops are advertised on major platforms and can remain active for months, making them harder to detect; reporting suspicious messages and domains to blocklists such as SURBL and threat scanners helps accelerate takedowns.

🔍 A newly discovered phishing framework named GhostFrame has been linked to more than one million attacks, according to Barracuda. The kit uses a benign-looking outer HTML page that conceals a malicious iframe, enabling attackers to swap content, target regions and evade scanners without changing the visible landing page. GhostFrame employs a two-stage chain: the loader creates randomized subdomains and validates them before loading an internal credential-stealing page, and includes anti-analysis controls that block inspection shortcuts and restrict user actions. Barracuda recommends a multilayered defense—regular browser updates, staff training, email gateways and web filters, restricting iframe embedding, and monitoring for injected or redirected content.

🔒FortiGuard Labs reports multiple campaigns deploying the UDPGangster UDP-based backdoor, attributed to the MuddyWater espionage group. Attackers used macro-embedded Microsoft Word documents delivered via phishing, impersonating official Turkish emails and targeting users in Turkey, Israel, and Azerbaijan. The malware implements persistence, extensive anti-analysis checks, and UDP C2 communications to exfiltrate data and execute remote commands. Fortinet detections and protections are available to mitigate these threats.

🔒Identity-focused attacks are driving major breaches across industries, with recent vishing incidents at M&S and Co-op enabling ransomware intrusions and combined losses exceeding £500 million. Attackers harvest credentials via infostealers, targeted phishing/smishing/vishing, breached password stores and automated attacks like credential stuffing. Implement least privilege, strong unique passwords in managers, MFA (authenticator apps or passkeys), PAM and automated identity lifecycle controls to limit blast radius.

🔒 Google is expanding its Android in-call scam protection to cover several U.S. financial apps, including Cash App and the JPMorgan Chase mobile banking app. The feature, introduced with Android 16, warns users when they launch a financial app while sharing their screen during a call with an unknown number, presenting a persistent 30-second alert that only allows ending the call. The protection runs on Android 11 and later and remains in a testing phase.

🔒 Android is expanding its pilot for in-call scam protection that detects when users launch participating financial apps while screen sharing during calls from unsaved numbers. The feature warns users, offers a one-tap end-call and stop-sharing option, and enforces a 30-second pause to disrupt social engineering. After UK success and pilots in Brazil and India, Google is rolling pilots with US fintechs including Cash App and banks like JPMorganChase.

🔐 Researchers at Any.Run report a hybrid 2FA-phishing strain that fuses elements of Salty2FA and Tycoon2FA, producing payloads that evade detection rules tuned to either kit alone. The samples begin with Salty-style obfuscation and trampoline JavaScript, then shift into Tycoon’s DGA domains and AiTM execution chain. Analysts warn defenders to focus on behavioral patterns and fallback routines rather than static indicators of compromise.

🔒 The UK's National Cyber Security Agency (NCSC) reports its Share and Defend service has blocked almost one billion attempts to access malicious websites in under a year. Launched in May 2024, the service aggregates threat intelligence and indicators of compromise (IOCs) from partners and data sources, then shares them with ISPs such as BT, Vodafone, and TalkTalk for DNS filtering. When users try to follow phishing links, fraudulent texts or scam adverts, connections to known malicious domains are stopped automatically. The initiative supports the government's Stop! Think Fraud campaign and aims to reduce online fraud for consumers and businesses.