All news with #phishing tag

✉️ A vulnerability in DoorDash's DoorDash for Business platform allowed an attacker to create a free account, add an 'Employee' entry containing arbitrary HTML in a budget name field, and send emails that appeared to originate from no-reply@doordash.com using official templates. The researcher known as doublezero7 supplied a proof-of-concept showing stored HTML rendered in outgoing messages, enabling persuasive phishing. DoorDash patched the flaw after public pressure, and a dispute over disclosure and alleged extortion followed.

🔒 LinkedIn has emerged as a major vector for phishing, with a growing share of attacks moving off email and onto social and messaging platforms. Attackers exploit in‑app DMs, account takeovers, and AI automation to target executives and high‑value roles, often aiming to compromise SSO providers such as Microsoft Entra and Google Workspace. Because these messages bypass traditional email security and lack inbox quarantine tools, browser-based defenses and SSO/MFA hygiene are recommended to detect and block evasive campaigns. The article outlines five reasons this shift increases enterprise risk.

🧠 Social engineering exploits human psychology to bypass technical and physical safeguards, using impersonation, deception and manipulation to gain access to systems, facilities or data. Attackers commonly use phishing, vishing, smishing, pretexting, baiting and tailgating after extensive reconnaissance to craft believable lures. High-value targets are often pursued via spear-phishing or BEC schemes, while opportunistic attackers rely on mass phishing. Practical defenses include ongoing security awareness training, verified procedures for urgent requests and realistic simulation tests; tools such as Social-Engineer Toolkit help organizations test their resilience.

🔔 DoorDash disclosed an October data breach after an employee fell for a social engineering scam, allowing an unauthorized third party to access certain user contact information. Notified users were told exposed data varied by person and could include names, physical addresses, phone numbers and email addresses; the company said Social Security Numbers were not accessed. DoorDash said it shut off access, engaged a forensic firm, notified law enforcement, and warned users to watch for phishing; affected users can call a helpline and cite reference code B155060.

💳 A Russian-speaking threat actor has registered more than 4,300 domains since early 2025 to host convincing fake travel and hotel booking pages that harvest payment card data. According to Netcraft researcher Andrew Brandt, the campaign—active since February—uses a customizable phishing kit that serves branded pages for platforms like Booking, Expedia, and Airbnb and supports 43 languages. The kit requires a unique AD_CODE in the URL to render targeted branding (otherwise visitors see a blank page), employs fake Cloudflare-style CAPTCHA, and persists state in a cookie so subsequent pages maintain consistent impersonation. Victims are prompted to pay a deposit; entered card numbers, expiry and CVV are processed in the background while a bogus support chat guides users through a sham 3D Secure step to complete the theft.

⚠️ Security researchers disclosed a novel attack called AI sidebar spoofing that allows malicious browser extensions to place counterfeit in‑page AI assistants that visually mimic legitimate sidebars. Demonstrated against Comet and confirmed for Atlas, the extension injects JavaScript, forwards queries to a real LLM when requested, and selectively alters replies to inject phishing links, malicious OAuth prompts, or harmful terminal commands. Users who install extensions without scrutiny face a tangible risk.

📱 Google has filed suit in the Southern District of New York to unmask and disrupt 25 unnamed operators tied to Lighthouse, a China-based phishing kit that has victimized over one million people across 120 countries. The complaint alleges Lighthouse powers a “Smishing Triad” that spoofs trusted brands, blasts mass text lures, and automates enrollment of stolen cards into mobile wallets using one-time verification codes. Google asserts trademark infringement and RICO claims and seeks to dismantle the coordinated groups behind the service.

🔐 This ThreatsDay Bulletin surveys major cyber activity shaping November 2025, from exploited Cisco zero‑days and active malware campaigns to regulatory moves and AI-related leaks. Highlights include CISA's emergency directive after some Cisco updates remained vulnerable, a large-scale study finding 65% of AI firms leaked secrets on GitHub, and a prolific phishing operation abusing Facebook Business Suite. The roundup stresses practical mitigations—verify patch versions, enable secret scanning, and strengthen incident reporting and red‑teaming practices.

🔐 Password managers centralize credentials but are attractive targets for attackers who exploit phishing, malware, vendor breaches, fake apps and software vulnerabilities. Recent incidents — including a 2022 LastPass compromise and an ESET‑reported North Korean campaign — demonstrate how adversaries can exfiltrate vault data or trick users into surrendering master passwords. To reduce risk, use a long unique master passphrase, enable 2FA, keep software and browsers updated, install reputable endpoint security, and only download official apps from trusted stores.

🛡️ Google has asked a US court to dismantle infrastructure used by the Lighthouse phishing‑as‑a‑service operation after identifying at least 107 sign‑in templates that mimic Google branding. The service is marketed to attackers who send smishing links and host fraudulent sign‑in pages to harvest credentials. Google also urged Congress to consider GUARD, Foreign Robocall Elimination and SCAM bills to bolster enforcement and funding. The company declined additional comment.

⚖️ Google has filed a lawsuit to dismantle the Lighthouse phishing‑as‑a‑service platform accused of enabling global SMS phishing (“smishing”) that impersonates USPS and toll providers. The company says Lighthouse has impacted more than 1 million victims in 120 countries and that similar scams may have exposed up to 115 million U.S. payment cards between July 2023 and October 2024. Google’s complaint invokes federal racketeering, trademark, and computer fraud laws and seeks to seize the infrastructure hosting fraudulent templates that even mimic Google sign‑in screens.

🛡️ Google has filed a lawsuit seeking to dismantle Lighthouse, a China-linked phishing-as-a-service platform accused of powering global SMS phishing ("smishing") campaigns that impersonate USPS and E-ZPass. Google says Lighthouse has impacted more than 1 million victims across 120 countries and that phishing templates even display Google's branding to trick users. The company is pursuing federal claims including RICO, the Lanham Act, and the CFAA while expanding AI and product protections.

⚖️ Google has filed a civil lawsuit in the U.S. District Court for the Southern District of New York against China-based operators of the PhaaS kit Lighthouse, which Google says has ensnared over one million users across 120 countries. The platform is accused of powering industrial-scale SMS phishing and smishing campaigns that impersonate trusted brands like E-ZPass and USPS to steal financial data. Google alleges the actors illegally used its trademarks on at least 107 spoofed sign-in templates and seeks to dismantle the infrastructure under the RICO, Lanham Act, and the Computer Fraud and Abuse Act. Security firms link Lighthouse to a broader PhaaS ecosystem including Darcula and Lucid, and to a smishing syndicate tracked as Smishing Triad.

⚠️ Threat hunters report a .NET banking trojan dubbed Maverick propagating via WhatsApp Web, with analyses noting significant code overlaps with the Coyote family and attribution to the actor known as Water Saci. The campaign uses a self-propagating component named SORVEPOTEL to distribute a ZIP containing an LNK that launches PowerShell/cmd to fetch loaders from zapgrande[.]com. The loader installs modules only after geo/linguistic checks confirm the victim is in Brazil and then deploys banking-targeted credential-stealing and web-injection capabilities.

🔒 KnowBe4 has identified a new phishing-as-a-service platform called Quantum Route Redirect that automates large-scale credential theft across roughly 90 countries and is hosted on about 1,000 domains. The kit distinguishes security tools from real users to evade URL scanning and some web application firewalls, routing victims to Microsoft 365 credential-harvesting pages. It includes redirect configuration, traffic analytics, monitoring dashboards and themed lures such as DocuSign and payroll impersonations. KnowBe4 urges multi-layered defenses including NLP-driven email analysis, sandboxing, continuous monitoring and rapid incident response.

📧 KnowBe4 researchers have identified a phishing automation kit named Quantum Route Redirect (QRR) that uses roughly 1,000 domains to harvest Microsoft 365 credentials. The platform is preconfigured with common lures—DocuSign requests, payment notifications, missed voicemail notices and QR prompts—and typically hosts landing pages on parked or compromised legitimate domains to aid social engineering and evade detection. QRR includes a built-in filter that distinguishes humans from bots and security scanners, redirecting genuine users to credential-harvesting pages while sending automated systems to benign sites. Most observed attacks target U.S. users, and defenders are urged to deploy robust URL filtering and continuous account monitoring.

🔒 Phishing is moving beyond email to platforms like LinkedIn, where direct messages sidestep traditional email defenses and evade many web-based controls. Attackers exploit account takeovers, weak MFA adoption, and AI-driven outreach to scale targeted campaigns against executives and cloud identity services. Because LinkedIn messages are accessed on corporate devices but outside email channels, organizations often rely on user reporting and URL blocking—measures that are slow and ineffective. Vendor Push Security recommends browser-level protections that analyze page code and behavior in real time to block in-browser phishing and SSO-based compromises.

📨 Check Point email security researchers uncovered a large-scale phishing campaign that abuses Meta's Business Suite and the facebookmail.com delivery domain to send convincing fake notifications. Attackers craft messages that appear to originate from Meta, allowing them to bypass many traditional security filters and increase the likelihood of SMBs across the U.S. and internationally engaging with malicious links or credential-stealing pages. Organizations should strengthen email defenses, monitor suspicious Business Suite activity, and educate staff to reduce exposure.

🚨 The UK's National Crime Agency (NCA) has launched the "Crypto Dream Scam Nightmare" campaign to warn men under 45 about crypto investment fraud that lures victims with professional sites, apps and romance baiting. The initiative, part of the Home Office's Stop! Think Fraud programme, includes a short video and a 10-tip info sheet to help people recognise and avoid scams. The NCA noted Action Fraud logged over 17,000 investment fraud reports last year.

🔒 Sekoia warns of a large-scale phishing campaign targeting hotel staff that uses ClickFix-style pages to harvest credentials and deliver PureRAT. Attackers impersonate Booking.com in spear-phishing emails, redirect victims through a scripted chain to a fake reCAPTCHA page, and coerce them into running a PowerShell command that downloads a ZIP containing a DLL-side‑loaded backdoor. The modular RAT supports remote access, keylogging, webcam capture and data exfiltration and persists via a Run registry key.