All news with #phishing tag

AI Sidebar Spoofing Targets Comet and Atlas Browsers

⚠️ Security researchers disclosed a novel attack called AI sidebar spoofing that allows malicious browser extensions to place counterfeit in‑page AI assistants that visually mimic legitimate sidebars. Demonstrated against Comet and confirmed for Atlas, the extension injects JavaScript, forwards queries to a real LLM when requested, and selectively alters replies to inject phishing links, malicious OAuth prompts, or harmful terminal commands. Users who install extensions without scrutiny face a tangible risk.

Google Sues China-Based Operators of PhaaS 'Lighthouse'

⚖️ Google has filed a civil lawsuit in the U.S. District Court for the Southern District of New York against China-based operators of the PhaaS kit Lighthouse, which Google says has ensnared over one million users across 120 countries. The platform is accused of powering industrial-scale SMS phishing and smishing campaigns that impersonate trusted brands like E-ZPass and USPS to steal financial data. Google alleges the actors illegally used its trademarks on at least 107 spoofed sign-in templates and seeks to dismantle the infrastructure under the RICO, Lanham Act, and the Computer Fraud and Abuse Act. Security firms link Lighthouse to a broader PhaaS ecosystem including Darcula and Lucid, and to a smishing syndicate tracked as Smishing Triad.

Payroll Pirates Malvertising Hijacks Hundreds of Sites

🏴‍☠️ Since mid‑2023, researchers tracked a financially motivated malvertising network named Payroll Pirates that impersonated payroll portals to harvest credentials and facilitate fraud. The operation used sponsored ads to funnel more than 500,000 visitors to cloned login pages and targeted over 200 interfaces, including payroll systems, credit unions, and trading platforms across the U.S. Its tactics evolved with refined ad placement, credential-harvesting pages, and coordinated infrastructure to maximize theft and evade detection.

Cyber spies target German public administration, says BSI

🔒 The German Federal Office for Information Security (BSI) reports that cyber espionage is increasingly targeting public administration, with notable victims in defense, judiciary and public safety. The 1 July 2024–30 June 2025 report notes law-enforcement actions against ransomware providers LockBit and Alphv but warns many incidents go unreported. It highlights rising quishing and vishing attacks, insufficient basic protections—especially among SMEs and political organizations—and calls for stronger investment and reduced dependence on U.S. infrastructure.

Quantum Route Redirect: Automated PhaaS Targets 90 Countries

🔒 KnowBe4 has identified a new phishing-as-a-service platform called Quantum Route Redirect that automates large-scale credential theft across roughly 90 countries and is hosted on about 1,000 domains. The kit distinguishes security tools from real users to evade URL scanning and some web application firewalls, routing victims to Microsoft 365 credential-harvesting pages. It includes redirect configuration, traffic analytics, monitoring dashboards and themed lures such as DocuSign and payroll impersonations. KnowBe4 urges multi-layered defenses including NLP-driven email analysis, sandboxing, continuous monitoring and rapid incident response.

Phishing Campaign Uses Meta Business Suite to Target SMBs

📨 Check Point email security researchers uncovered a large-scale phishing campaign that abuses Meta's Business Suite and the facebookmail.com delivery domain to send convincing fake notifications. Attackers craft messages that appear to originate from Meta, allowing them to bypass many traditional security filters and increase the likelihood of SMBs across the U.S. and internationally engaging with malicious links or credential-stealing pages. Organizations should strengthen email defenses, monitor suspicious Business Suite activity, and educate staff to reduce exposure.

ClickFix Phishing Campaign Targets Hotels, Delivers PureRAT

🔒 Sekoia warns of a large-scale phishing campaign targeting hotel staff that uses ClickFix-style pages to harvest credentials and deliver PureRAT. Attackers impersonate Booking.com in spear-phishing emails, redirect victims through a scripted chain to a fake reCAPTCHA page, and coerce them into running a PowerShell command that downloads a ZIP containing a DLL-side‑loaded backdoor. The modular RAT supports remote access, keylogging, webcam capture and data exfiltration and persists via a Run registry key.

Phishing texts impersonate Find My to steal Apple IDs

📱 The Swiss NCSC warns of smishing attacks that impersonate Apple's Find My team, telling owners their lost iPhone has been found to lure them to a fake login page. Messages can cite device details visible on the lock screen and use the displayed contact info to target victims. The counterfeit pages request the user's Apple ID and password, which attackers then use to remove Activation Lock. Users should enable Lost Mode, avoid unsolicited links, use a dedicated contact email, and protect their SIM with a PIN.

Enterprise Credentials at Risk: Same Old Compromise Cycle

🔐 The article outlines how everyday credential reuse and phishing feed a persistent compromise lifecycle: credentials are created, stolen, aggregated, tested, and ultimately exploited. It details common vectors — phishing, credential stuffing, third-party breaches, and leaked API keys — and describes criminal marketplaces, botnets, opportunistic fraudsters, and organized crime as distinct actors. Consequences include account takeover, lateral movement, data theft, resource abuse, and ransomware, and the piece urges immediate action such as scanning for leaked credentials with tools like Outpost24's Credential Checker.

Phishing Campaign Targets Booking.com Partners and Guests

🔒 A large-scale phishing operation targeted Booking.com partner accounts and hotel staff, using impersonated emails and compromised hotel accounts to lure victims into running malicious commands. Attackers relied on redirection chains and the ClickFix social engineering tactic to execute PowerShell that delivered PureRAT. The remote access trojan enabled credential theft, screenshots and exfiltration, with stolen access sold or used to perpetrate payment fraud against guests.

Securing the Open Android Ecosystem with Samsung Knox

🔒 Samsung Knox is a built-in security platform for Samsung Galaxy devices that combines hardware- and software-level protections to safeguard enterprise data and provide IT teams with centralized control. It layers defenses — including AI-powered malware detection, curated app controls, Message Guard for zero-click image scanning, and DEFEX exploit detection — while integrating with EMMs and offering granular update management via Knox E-FOTA. The platform emphasizes visibility, policy enforcement, and predictable lifecycle management to reduce risk and operational disruption.

SmudgedSerpent Targets U.S. Policy Experts Amid Tensions

🔍 Proofpoint attributes a previously unseen cluster, UNK_SmudgedSerpent, to targeted attacks on U.S. academics and foreign‑policy experts between June and August 2025. The adversary used tailored political lures and credential‑harvesting landing pages, at times distributing an MSI that deployed legitimate RMM software such as PDQ Connect. Tactics resemble Iranian-linked groups and included impersonation of think‑tank figures to increase credibility.

Preventing SOC Burnout with Real-Time Analysis and Automation

🛡️ SOC teams can reduce analyst burnout by replacing noisy alerts and manual chores with real-time behavioral context, automation, and integrated threat intelligence. Platforms such as ANY.RUN deliver interactive sandboxing that exposes full attack chains, automates human-like interactions (for example, solving CAPTCHAs and revealing hidden redirects), and pushes verified IOCs directly into SOC workflows. Organizations report up to 3× faster triage, fewer false positives, and a calmer, more resilient security operations center.

Operation SkyCloak: Tor-Enabled Backdoor Targets Defense

🔒 Attackers are deploying a persistent backdoor using OpenSSH and a customized Tor hidden service to target defense-related organizations in Russia and Belarus. The Operation SkyCloak campaign uses weaponized ZIP attachments and LNK-triggered PowerShell stagers that perform sandbox evasion and write an .onion hostname into the user's roaming profile. Persistence is established via scheduled tasks that run a renamed sshd.exe and a bespoke Tor binary using obfs4, enabling SSH, SFTP, RDP and SMB access over Tor.

Hackers Use RMM Tools to Breach Freighters and Steal Cargo

🚨 Threat actors are targeting freight brokers and carriers with malicious emails and compromised load-board posts to deliver remote monitoring and management tools (RMM) such as ScreenConnect, NetSupport, and PDQ Connect. Once installed, attackers gain remote control to alter bookings, block notifications, harvest credentials, and impersonate carriers to reroute and physically steal high-value shipments. Proofpoint tracked dozens of campaigns since January, primarily in North America, exploiting social engineering and legitimate RMM functionality.

LinkedIn Phishing Targets Finance Executives With Fake Board

🔒 Hackers are exploiting LinkedIn direct messages to phish finance executives with messages claiming to invite recipients to an executive board and leading to credential-harvesting pages. Push Security says victims are redirected — including via a Google open redirect — to a Firebase-hosted 'LinkedIn Cloud Share' page that urges users to click a 'View with Microsoft' button. That flow then presents a Cloudflare Turnstile and a fake Microsoft sign-in used as an adversary-in-the-middle to capture credentials and session cookies; organizations should verify senders, avoid unsolicited links, and enforce MFA and conditional access.

Protecting Older Family Members From Financial Scams

🔒Elder fraud is rising sharply: in 2024 Americans aged 60+ reported nearly $4.9 billion lost to online scams, with an average loss of about $83,000 per victim. Effective protection pairs ongoing, shame-free family communication with practical technical measures and a clear remediation plan. Teach relatives to use a password manager, enable two-factor authentication, block popups and robocalls, keep devices updated, and verify any urgent financial request before acting.

Atroposia RAT Emerges on Dark Web with Modular Toolset

🔍 Security researchers at Varonis identified a modular remote access trojan named Atroposia, first seen on October 15 and promoted on underground forums. The toolkit includes encrypted C2 channels, hidden remote desktop takeover (HRDP Connect), credential and cryptocurrency wallet theft, DNS hijacking, vulnerability scanning and robust persistence. It is offered via subscription tiers and can be combined with services like SpamGPT and MatrixPDF to automate phishing and delivery. Recommended defenses include phishing reduction, timely patching, MFA enforcement and monitoring for post-compromise activity.

BiDi Swap: Bidirectional Text Trick Makes Fake URLs Look Real

🔍 Varonis Threat Labs highlights BiDi Swap, a technique that exploits Unicode bidirectional rendering to make malicious URLs appear legitimate. By mixing Right-to-Left and Left-to-Right scripts, attackers can visually move parameters, paths, or subdomains into the apparent host name to facilitate phishing and spoofing. Browser defenses vary — some highlight domains or flag lookalikes while others leave gaps — so the report urges user caution and vendor improvements.

CoPhish: Microsoft Copilot Studio Agents Steal OAuth Tokens

🔐 Datadog Security Labs has described a new phishing technique called CoPhish that abuses Copilot Studio agents to present fraudulent OAuth consent requests on legitimate Microsoft-hosted demo pages. Attackers can configure an agent’s Login topic to deliver a malicious sign-in button that redirects to a hostile application and exfiltrates session tokens. Microsoft confirmed it will address the underlying causes in a future update and recommends governance and consent hardening to reduce exposure.