All news with #phishing tag

📚 Check Point researchers uncovered a large-scale phishing campaign that abused Google Classroom to deliver more than 115,000 malicious emails in five coordinated waves over a single week. Attackers used fake classroom invitations carrying unrelated commercial offers to trick recipients across Europe, North America, the Middle East and Asia. The campaign targeted roughly 13,500 organizations and highlights risks when trusted collaboration tools are weaponized.

🔒 A sophisticated phishing campaign impersonating Ledger targets Nano X and Nano S Plus users with an urgent fake firmware update notice. The email claims fragments of private keys were leaked and urges immediate action, but the sender and update domains are not affiliated with Ledger. A professionally designed scam site hosted on an unrelated domain uses a support chat to coax victims into entering their seed phrase, which grants full wallet access. Organizations and individuals should treat unsolicited firmware alerts cautiously and use trained security controls and awareness to avoid compromise.

🚨 Unit 42 analyzes how rapid adoption of web-based generative AI is creating new phishing attack surfaces. Attackers are leveraging AI-powered website builders, writing assistants and chatbots to generate convincing phishing pages, clone brands and automate large-scale campaigns. Unit 42 observed real-world credential-stealing pages and misuse of trial accounts lacking guardrails. Customers are advised to use Advanced URL Filtering and Advanced DNS Security and report incidents to Unit 42 Incident Response.

⚠️ AI-driven deepfake ads on social media are increasingly used to impersonate banks, celebrities and news outlets to lure victims into investment fraud. Campaigns observed in 2024–2025, including the Nomani Trojan activity, use fake or hijacked accounts, localized messaging and deepfake testimonials to harvest credentials or steer targets into scam groups. Reported losses from investment fraud are substantial, so verify offers independently and avoid clicking unsolicited financial ads.

📈 Cybercriminals selling advanced mobile phishing kits have shifted from converting stolen cards into mobile wallets to hijacking brokerage accounts for a coordinated ramp and dump scheme that inflates and then collapses foreign and penny stock prices. Vendors such as Outsider (aka Chenlun) offer templates that spoof brokers via iMessage and RCS to harvest logins and SMS one-time codes. Operators use banks of phones and human handlers to preposition, trade, and liquidate positions, leaving victims with worthless shares while brokers and regulators contend with the fallout.

📦 Delivery scams now include evolved brushing and QR-based "quishing" campaigns that use unsolicited packages or printed postcards to trick recipients into visiting malicious sites, paying fake fees, or installing malware. Scammers may include QR codes, phone numbers, or counterfeit tracking cards to extract payment data, one-time codes, or to prompt app installs. Never scan printed QR codes or call numbers on unexpected parcels; verify shipments via official courier channels and avoid connecting unknown USB devices. Enable two-factor authentication and report suspicious packages to the courier and police.

📅 In episode 430 of Smashing Security, host Graham Cluley and guest Dave Bittner examine a range of security stories, led by a proof‑of‑concept attack that weaponises Google Calendar invites to trigger smart‑home actions. They also cover a disturbing incident where ChatGPT gave dangerous advice that led to hospitalization and discuss the new Superman trailer. The episode blends technical detail with accessible commentary and practical warnings for listeners.

🔒 The FortiMail Workspace Security team uncovered a targeted intrusion campaign that abused compromised internal email to deliver a multi-stage, fully PowerShell-based Remote Access Trojan targeting Israeli organizations. Phishing links redirected users to a spoofed Microsoft Teams page that instructed victims to press Windows+R, paste an obfuscated Base64 loader, and execute a PowerShell IEX fetch from a hard-coded C2 (hxxps[:]//pharmacynod[.]com), which in turn staged scripts and a compressed, in-memory RAT. The operation uses layered obfuscation, native Windows APIs, and living-off-the-land techniques to enable remote access, surveillance, persistence, lateral movement, and data exfiltration; Fortinet protections detect and block this activity.

🛡️The Phishing Triage Agent is now in Public Preview and automates triage of user-reported suspicious emails within Microsoft Defender. Using large language models, it evaluates message semantics, inspects URLs and attachments, and detects intent to classify submissions—typically within 15 minutes—automatically resolving the bulk of false positives. Analysts receive natural‑language explanations and a visual decision map for each verdict, can provide plain‑language feedback to refine behavior, and retain control via role‑based access and least‑privilege configuration.

🔒 Unit 42 observed a new DarkCloud Stealer infection chain in early April 2025 that employs ConfuserEx-based obfuscation and a final Visual Basic 6 payload. Phishing TAR/RAR/7Z archives deliver obfuscated JavaScript or WSF downloaders which retrieve a PowerShell stage from open directories and drop a ConfuserEx-protected executable. The loaders are heavily protected with javascript-obfuscator and the variant follows prior AutoIt-based deliveries. Palo Alto Networks notes that Advanced WildFire, Advanced URL Filtering, Advanced DNS Security, Cortex XDR and XSIAM can help detect and mitigate these stages and recommends contacting Unit 42 for incident response.

🔍 Fraudsters are promoting hundreds of polished fake gaming sites across Discord and other social platforms, falsely claiming partnerships with influencers and offering a $2,500 'promo code' to lure users. Visitors create free accounts to play sleek casino-style games (for example gamblerbeast[.]com's B-Ball Blitz), but cashouts are blocked and victims are prompted for a cryptocurrency 'verification deposit' and repeated payments. Investigators, including a Discord researcher and the threat-hunting firm Silent Push, linked a shared chat API key to at least 1,270 active domains and found centralized wallets, AI-assisted support, and network-wide tracking that make these scaled scams efficient and hard to report.

📧 A targeted phishing campaign compromised an aviation executive’s Microsoft 365 credentials, allowing attackers to mine past invoice conversations and send convincing fake invoice requests to customers. Within hours the fraudsters registered a near‑identical domain and at least one customer paid a six‑figure phony invoice. Investigation links the registration details to a long‑running Nigerian BEC ring identified as SilverTerrier; firms are urged to combine employee training, domain monitoring and rapid use of the Financial Fraud Kill Chain to improve recovery chances.

🔒 Phony CAPTCHA pages are being used to trick users into running commands that invoke legitimate Windows tools like PowerShell or mshta.exe, which then download and install malware. Threat actors—including those using the social engineering method ClickFix—deploy infostealers, remote access trojans, ransomware and cryptominers through deceptive verification prompts that appear legitimate. Users should avoid executing pasted commands, keep systems and security software updated, and consider ad blockers to reduce exposure.

⚠️ Task scams are rising employment frauds that lure jobseekers with easy micro-tasks and visible “earnings,” then pressure victims to pay to unlock funds. The schemes use gamification, spoofed sites and messaging apps, often asking for cryptocurrency deposits or “level-up” fees. Victims see initial fake gains, then lose payments with no recourse. Always verify recruiters and never pay upfront.