All news with #phishing tag

📩 Attackers abused GitHub's notification system to send fake Y Combinator W2026 invitations by creating issues and tagging users so the platform would deliver legitimate-looking emails. The lure promised participation in a purported $15 million funding program and linked to a typo-squatted domain. That site ran obfuscated JavaScript and presented an EIP-712-style wallet verification prompt that, when signed, authorized draining transactions.

🔍 Microsoft Threat Intelligence detected and blocked a credential-phishing campaign that likely leveraged AI-generated code to obfuscate its payload inside an SVG attachment. The malicious SVG imitated a PDF and hid JavaScript within invisible, business-themed elements and a long sequence of business terms that the embedded script decoded into redirects, browser fingerprinting, and session tracking. Microsoft Defender for Office 365 blocked the activity by correlating infrastructure, behavioral, and message-context signals, while Security Copilot flagged the code as likely LLM-generated.

🔒 Security researchers at F6 disclosed a phishing campaign by a previously undocumented group dubbed ComicForm that has been active since at least April 2025, targeting organizations in Belarus, Kazakhstan, and Russia. The attackers use RR archives containing Windows executables masquerading as PDFs to deploy an obfuscated .NET loader and a chain of DLLs culminating in the FormBook stealer. The malware creates scheduled tasks and adds Microsoft Defender exclusions, while some phishing sites mimic domestic document services and capture credentials by posting them to attacker-controlled domains.

🔗 Phishing attacks are increasingly delivered outside traditional email — via social media, instant messaging, SMS, malvertising and in‑app messengers — making mail gateways insufficient. Attackers now send links from compromised accounts, targeted ads or SaaS messages and use fast‑rotating domains and advanced Attacker‑in‑the‑Middle (AitM) kits that obfuscate JavaScript and the DOM to evade network detection. Organizations often rely on user reports and URL blocking, but these approaches fail against rapid domain churn and client‑side stealth. Vendors such as Push Security propose browser‑level detection that monitors real‑time page behavior to identify AitM, session hijacking and credential theft.

🤖 AI-driven phishing campaigns are increasingly using convincing fake CAPTCHA pages to bypass security filters and trick users into revealing credentials. Trend Micro found these AI-generated pages hosted on developer platforms such as Lovable, Netlify, and Vercel, with activity observed since January and a renewed spike in August. Attackers exploit low-friction hosting, platform credibility, and AI coding assistants to rapidly clone brand-like pages that first present a CAPTCHA, then redirect victims to credential-harvesting forms. Organizations should combine behavioural detection, hosting-provider safeguards, and phishing-resistant authentication to reduce risk.

⚠️ The FBI has issued a public service announcement warning that threat actors are creating spoofed versions of the IC3 cybercrime reporting site to steal personally identifiable information and facilitate fraud. The agency advises typing www.ic3.gov directly, avoiding sponsored search results and mismatched URLs, and never paying anyone claiming to be IC3 staff. Victims should report impersonation attempts to the legitimate IC3 portal and provide full details.

🛡️ LastPass warns of a widespread campaign leveraging fake GitHub repositories and SEO-poisoned search results to distribute an Atomic-infostealer targeting macOS users. The malicious pages impersonate popular tools such as LastPass, 1Password, and Dropbox, and redirect victims to pages that instruct them to run Terminal commands. Those commands fetch and execute a multi-stage dropper that deploys the Atomic Stealer. Users should verify official vendor pages and avoid running untrusted commands in Terminal.

⚠️ The FBI warns that cybercriminals are creating spoofed versions of the Internet Crime Complaint Center (IC3) website to harvest personally identifiable information and facilitate financial scams. The agency noted over 100 reports between December 2023 and February 2025 prompting a public service announcement and flagged domains that mimic ic3.gov. Users are advised to type www.ic3.gov directly, avoid sponsored search results, never share sensitive data, and remember the FBI will never ask for payment to recover funds.

🔍 Netcraft reports that the PhaaS platforms Lucid and Lighthouse are linked to more than 17,500 phishing domains impersonating 316 brands across 74 countries. Lucid, first documented by PRODAFT in April, supports smishing via Apple iMessage and RCS and is tied to the Chinese-speaking XinXin group. Both services offer customizable templates, real-time victim monitoring, and granular targeting controls (User-Agent, proxy country, configured paths) that restrict access to intended victims. Lighthouse subscriptions run from $88 per week to $1,588 per year, underscoring the commercial scale of these offerings.

🛡️ The article warns NFT buyers about practical security risks that can turn valuable tokens into worthless assets. It describes attacks such as metadata manipulation and centralized storage that permit creators to change or remove artwork after sale, and marketplace scams that exploit currency symbols and interface design. The piece highlights phishing vectors including Discord takeovers and malicious airdrops, and recommends defenses like multi-wallet segregation, the five-minute rule, and regular permission audits.

🔐 Trend Micro researchers report cybercriminals are using AI-powered site builders like Lovable, Vercel and Netlify to rapidly create convincing fake CAPTCHA pages. Seen since January 2025 with a sharp escalation from February to April, these pages make phishing links appear legitimate and can help evade automated scanners by presenting a CAPTCHA before redirecting users to credential-stealing sites. Recommended mitigations include employee education, redirect-chain analysis and monitoring trusted domains for abuse.

🛡️ Microsoft's Digital Crimes Unit has seized 338 domains to dismantle the Phishing‑as‑a‑Service platform RaccoonO365, which enabled low‑skilled actors to deploy convincing Microsoft login pages. The DCU reports the service compromised more than 5,000 accounts across 94 countries since July 2024 and could bypass MFA to maintain persistent access. Operators marketed AI enhancements to scale attacks and collected at least $100,000 in cryptocurrency, prompting legal action to disrupt the infrastructure and seize control of the platform.

🎭 In episode 435 of Smashing Security, host Graham Cluley and guest Jenny Radcliffe discuss a sophisticated phishing campaign that used fake casting calls to lure Israeli performers, illustrating how flattering, opportunity-based lures can be as persuasive as fear-based tactics. They also cover Check Point’s findings on Iran-linked activity, the UK ICO’s warning about students hacking schools, and lighter cultural items including Endeavour and a local “Catman” story. The episode blends practical security analysis with humour and sponsored segments.

⚠️Kaspersky tracked TA558, operating under the cluster known as RevengeHotels, using AI-generated JavaScript and PowerShell loaders in summer 2025 to deliver Venom RAT to hotels in Brazil and Spanish-speaking markets. Phishing emails in Portuguese and Spanish used reservation and job-application lures to coax users into running a WScript payload that chains to a PowerShell downloader fetching 'cargajecerrr.txt' and subsequent loaders. The Venom RAT, based on Quasar, includes data-stealing, reverse-proxy, persistence and aggressive anti-kill features aimed at harvesting payment card data from hotel systems and OTAs.

🛡️ Acronis researchers have uncovered a rare FileFix campaign that hides a second-stage PowerShell script and encrypted executables inside JPG images using steganography. Attackers employ multilingual, heavily minified phishing pages that mimic a Meta support flow and trick victims into pasting a payload into file upload address bars. An obfuscated PowerShell one-liner downloads images from Bitbucket, extracts and decrypts components, and executes a Go-based loader that deploys StealC. Organizations should combine user training with process blocking and monitoring to mitigate this evolving threat.

🔍 Huntress analysts observed an uptick in attacks that combine classic ClickFix social engineering with more advanced deployment techniques over the past fifteen business days. A fake AnyDesk installer used a Cloudflare Turnstile lure that opened Windows File Explorer via the search-ms protocol to deliver an LNK payload disguised as a PDF and install an MSI that dropped MetaStealer. Separately, operators deployed Cephalus ransomware using DLL sideloading through the legitimate SentinelOne host binary, illustrating evolving tradecraft that mixes manual user interaction and technical evasion.

🔒 Microsoft and Cloudflare coordinated a disruption of the RaccoonO365 Phishing-as-a-Service operation in early September 2025, seizing 338 malicious websites and Cloudflare Worker accounts. The service is linked to at least 5,000 stolen Microsoft 365 credentials from 94 countries since July 2024 and was used in large campaigns, including a tax-themed sweep that targeted over 2,300 U.S. organizations. Kits bundled CAPTCHA and anti-bot evasion, were sold via a private Telegram channel, and investigators identified a suspected leader, prompting a criminal referral.

🔒 Microsoft and Cloudflare executed a coordinated takedown of RaccoonO365, a Nigerian-run phishing-as-a-service platform tracked by Microsoft as Storm-2246. The joint effort seized 338 domains and dismantled infrastructure that reportedly generated hundreds of millions of malicious messages and could bypass some MFA protections. Cloudflare removed intermediary Cloudflare Workers shields and deployed phish warning pages, while Microsoft pursued legal action and criminal referrals. The disruption exposed risks to healthcare providers and highlighted cross-border enforcement limits.

🛡️ Microsoft’s Digital Crimes Unit says it has dismantled the infrastructure behind RaccoonO365, seizing 338 malicious websites tied to the Storm-2246 phishing kit. The DCU, acting under a court order from the Southern District of New York, identified Nigeria-based operator Joshua Ogundipe and disrupted a Telegram-based subscription service with roughly 850 members. Microsoft says the service, launched July 2024, enabled the theft of thousands of Microsoft365 credentials, included tools to bypass MFA, and recently promoted an AI-powered feature to scale attacks.

🔒 Microsoft and Cloudflare coordinated a court-ordered disruption that seized 338 domains used by RaccoonO365, a phishing-as-a-service accused of harvesting over 5,000 Microsoft 365 credentials across 94 countries since July 2024. The takedown, executed between September 2–8, 2025, removed malicious Workers scripts, placed interstitial phish warnings, and suspended accounts to cut criminal access. RaccoonO365 was marketed by subscription and used legitimate services like Cloudflare Turnstile and Workers to harden phishing pages and evade detection.