All news with #phishing tag

🔒 The ICO fined South Staffordshire Water Plc and parent South Staffordshire Plc £963,900 after a cyberattack that exposed the personal data of 663,887 customers and employees. The incident, traced back to September 2020 and active mainly between May and July 2022, began with a phishing intrusion that enabled malware to remain undetected for 20 months. The regulator identified multiple security failures, including insufficient privilege controls, monitoring that covered only about 5% of the IT estate, use of obsolete software and poor vulnerability and patch management.

🔒 Signal has rolled out new in-app confirmations and warning messages to help users detect phishing and social engineering attempts that abuse the Linked Device feature. The updates add visible cues such as “Name not verified” and “No groups in common”, stronger safety tips, and prompts reminding users the app will never ask for registration codes, PINs, or recovery keys. These measures aim to introduce friction so recipients can better evaluate external requests.

🔒 Ontinue detailed a campaign distributing a previously undocumented information stealer via fake Claude Code install pages that hijack Chromium browsers to bypass App-Bound Encryption and exfiltrate cookies, passwords and payment data from developer workstations. The lure substituted the canonical Anthropic host for an attacker-controlled domain while /install.ps1 returned a verbatim genuine installer, letting automated scanners see benign PowerShell. A native helper is reflectively injected into browser processes to invoke the IElevator2 COM interface and extract encryption keys, while the PowerShell layer handles persistence, collection and C2 communications. Defenders are urged to enforce constrained PowerShell, enable script block logging and block newly registered domains.

🚨 The Australian Cyber Security Centre (ACSC) has warned of a widespread campaign using compromised WordPress sites and the ClickFix social‑engineering technique to deliver the Vidar Stealer infostealer to Windows systems. Attackers lure victims with fake CAPTCHA prompts that trick users into executing malicious commands, enabling in‑memory persistence and evasion. The ACSC advises restricting unauthorised execution, keeping WordPress and OS components patched, limiting clipboard write access, and enforcing phishing‑resistant MFA.

⚠️ The Australian Cyber Security Center (ACSC) warns of an ongoing campaign using the ClickFix social-engineering technique to deliver Vidar Stealer. Attackers compromise WordPress sites and redirect visitors to pages that display fake Cloudflare verification or CAPTCHA prompts instructing users to copy and execute malicious PowerShell commands. Once executed, the payload launches Vidar, which operates from memory and targets browser credentials, cookies, cryptocurrency wallets, autofill data, and system information. ACSC advises restricting PowerShell execution, applying application allow-listing, and keeping WordPress themes and plugins updated or removed when unused.

🔒This webinar delivers a practical, technical playbook for identifying and neutralizing a corporate 'Patient Zero'—the first compromised device that enables rapid lateral movement. Speakers will unpack how generative AI enables stealthy phishing, the critical five-minute window, and how Zero Trust isolation halts spread. Attendees gain an actionable Recovery Blueprint to contain, remediate, and restore systems.

⚠️ A fake Claude website pushed a 505MB archive named 'Claude-Pro-windows-x64.zip' that installs a trojanized MSI and drops three Startup files: NOVupdate.exe, NOVupdate.exe.dat, and avk.dll. Sophos and Malwarebytes analysis shows the signed G Data updater is abused to sideload avk.dll and an encrypted payload, which decrypts an in-memory DonutLoader that deploys the new Beagle backdoor. Beagle runs in memory, communicates with C2 at license.claude-pro[.]com (8.217.190[.]58) over TCP/443 or UDP/8080 using a hardcoded AES key, and supports basic file and command operations.

⚠️ Cofense warns that low-skilled threat actors are increasingly abusing Vercel's v0.dev GenAI tools to generate convincing phishing pages with minimal effort. Attackers can prototype for free, purchase tokens to build pages, and use Vercel hosting—its pro tier is roughly $20/month—to deploy and tear down sites quickly. Integrations with services like Telegram, AWS, Stripe and xAI further simplify operations. Cofense advises security teams to verify sender domains, watch for urgency cues and report malicious Vercel sites for takedown.

🔒 A phishing campaign abused Google sponsored search results to deliver a live adversary-in-the-middle (AitM) proxy that mimics ManageWP's sign-in page, placing the fake result above the legitimate one for the "managewp" query. Any credentials entered are exfiltrated to a Telegram channel and used in real time to bypass 2FA. Guardio Labs infiltrated the attackers' C2, observed an operator-driven phishing framework, and confirmed around 200 unique victims.

📞 Cisco Talos analyzed phone numbers extracted from scam emails and found that API-driven VoIP provisioning enables large-scale, low-cost operations that are difficult to trace. Attackers rotate through sequential DID blocks, use cool-down windows, and frequently recycle numbers across multiple lures and attachment types. In a Feb 26–Mar 31, 2026 dataset of 1,652 numbers, the median lifespan was ~14 days; Sinch was the most abused provider. Talos recommends using phone numbers as anchors for cross-channel threat mapping.

📎 Modern phishing now prioritizes speed over persuasion. By forcing immediate downloads via trusted cloud providers (for example Dropbox?s dl=1), attackers remove the preview step and exploit double extensions and hidden OS behavior to disguise executables. Cortex Email Security applies deep static analysis, behavioral signals, and LLM-based intent classification to detect forced-download parameters, identity-bound cloaking, and rotating social-engineering lures before they reach endpoints.

📩 Microsoft Defender Research disclosed a large-scale credential-theft campaign that targeted over 35,000 users at roughly 13,000 organizations using polished fake internal compliance notifications. Running April 15–16, 2026, the messages used enterprise-style HTML templates, organization-specific names and attached PDFs that redirected recipients through a Cloudflare CAPTCHA to staged authentication pages. Attackers employed an adversary-in-the-middle (AiTM) flow to harvest tokens and compromise accounts, primarily impacting US firms but seen in 26 countries. Microsoft recommends enabling passwordless authentication, using authenticator apps for MFA, turning on Safe Links and Safe Attachments, and configuring attack disruption in Microsoft Defender XDR.

🛡️ A sustained phishing campaign named Venomous#Helper is abusing signed remote monitoring and management (RMM) tools to install persistent backdoors on Windows hosts. Researchers at Securonix say attackers used SSA-branded lures that redirected via a compromised Mexican domain to a signed JWrapper binary masquerading as a government document. The payload deploys a cracked SimpleHelp build alongside a ConnectWise ScreenConnect relay, creating dual access channels and robust persistence mechanisms that evade basic gateway and EDR checks.

🔒 Microsoft disclosed a large-scale credential-theft phishing campaign that ran April 14–16, 2026, targeting over 35,000 users at more than 13,000 organizations across 26 countries. Attackers used polished, code-of-conduct-themed HTML lures, legitimate email delivery services and PDF attachments to funnel victims through CAPTCHA-gated pages into AiTM sign-in flows that harvested credentials and tokens, bypassing MFA. Most targets were in the U.S., with heavy impacts on healthcare, finance, professional services, and technology. Microsoft linked many endpoints to Tycoon 2FA, with additional activity tied to Kratos and EvilTokens.

📧 Kaspersky reports a surge in phishing campaigns that abuse AWS Simple Email Service (SES) to bypass authentication and reputation-based defenses. Attackers are exploiting exposed AWS Identity and Access Management keys discovered in public repositories, configuration files, container images, backups, and open S3 buckets. They automate secret scanning, permission validation, and mass email distribution to send highly credible lures—custom HTML templates and fake document-signing notifications—that redirect victims to AWS-hosted phishing pages.

🔔 Kaspersky reports an increase in phishing campaigns that abuse Amazon Simple Email Service (SES) to send authenticated-looking malicious messages that can bypass reputation-based filters. Attackers are harvesting exposed AWS access keys from public repositories and assets, automating secret discovery, permission checks, and mass email distribution. Because messages originate from a trusted service, SPF, DKIM, and DMARC checks and IP blocks are often ineffective, prompting Kaspersky to recommend stricter IAM controls, MFA, key rotation, and IP restrictions.

🛡️ Securonix warns of an active phishing campaign codenamed VENOMOUS#HELPER that has compromised over 80 organizations, primarily in the U.S., by abusing legitimate Remote Monitoring and Management tools. Attackers deliver a JWrapper-packaged executable via phishing links hosted on a compromised Mexican site to install SimpleHelp RMM with Safe Mode persistence and a self-healing watchdog. Operators elevate to SYSTEM using AdjustTokenPrivileges and deploy ConnectWise ScreenConnect as a fallback, creating redundant remote access for potential ransomware or extortion follow-on activity.

🔐 Microsoft Defender Research observed a large-scale, multi-stage phishing campaign that used polished code-of-conduct lures, staged CAPTCHAs, and intermediate pages to deliver an adversary-in-the-middle (AiTM) flow that captured authentication tokens. The campaign targeted over 35,000 users across 13,000+ organizations, mainly in the United States, and employed legitimate delivery services and attacker-controlled domains. Recommended defenses include Microsoft Defender for Office 365, Safe Links, Zero-hour auto purge (ZAP), SmartScreen-enabled browsers, and phishing-resistant MFA.

🚨 A China-based cybercrime group known as Silver Fox ran tax-themed phishing campaigns that deployed a newly identified Python backdoor called ABCDoor. The attacks used PDFs linking to ZIP/RAR archives on abc.haijing88[.]com or malicious attachments and relied on a modified RustSL loader to fetch an encrypted ValleyRAT implant, whose plugin installed ABCDoor. Kaspersky and S2W observed over 1,600 phishing emails across waves targeting India, Russia, Indonesia and others. Organizations should treat unsolicited tax correspondence with suspicion, validate attachments out-of-band, and monitor for modified RustSL and HTTPS C2 activity.

🔒 A 19-year-old allegedly tied to Scattered Spider was arrested in Helsinki and is facing U.S. extradition on counts including wire fraud, conspiracy, and computer intrusion. Prosecutors say he participated in multiple social-engineering intrusions from March 2023 through 2025 that used help-desk impersonation to reset MFA and exfiltrate data. Court filings and social-media posts reportedly tied the suspect to luxurious spending and to taunting law enforcement, underscoring how poor operational security and public boasting can accelerate investigations. The case highlights the ongoing threat of phone-based account takeover and the need for stronger, phishing-resistant controls.