All news with #phishing tag

🔒 Operation Atlantic, led by the UK's National Crime Agency with US and Canadian partners, froze $12m and disrupted multiple fraud networks after a week-long probe. The operation focused on approval phishing, a technique that tricks victims into granting full access to cryptocurrency wallets via fake alerts or popups. Investigators, supported by private-sector firms including Binance, Coinbase, Tether, and analytics vendors, identified over 20,000 compromised wallets across 30+ countries and contacted 3,000 victims. Authorities also disrupted more than 120 scam domains and flagged an additional $33m believed stolen in related crypto fraud.

🔒 An international law enforcement action led by the U.K.'s National Crime Agency, dubbed Operation Atlantic, identified over 20,000 victims of cryptocurrency fraud across Canada, the UK, and the US. The weeklong operation brought together the NCA, U.S. Secret Service, Ontario authorities and private-sector partners to share real-time intelligence and conduct coordinated victim outreach. Investigators froze more than $12 million in suspected criminal proceeds tied to approval phishing and traced over $45 million in stolen cryptocurrency, and they will continue analyzing intelligence to pursue further criminal activity.

⚠️Recovery fraud preys on people already defrauded, with criminals posing as recovery firms, regulators or law enforcement to charge upfront fees or collect bank and crypto details. Scammers often use 'sucker lists' to identify vulnerable victims and pressure them into untraceable payments or rushed decisions. Never pay fees in advance; verify claims independently and report incidents to the appropriate authorities.

🔒 Abnormal researchers disclosed a targeted phishing-as-a-service called VENOM that has been active since at least last November and focuses on stealing C-suite Microsoft credentials. The campaign uses personalized SharePoint-style emails, injected fake threads, and Unicode QR codes to move victims to mobile-based landing pages while evading scanners. VENOM hides target addresses using double Base64 in URL fragments and filters out researchers before presenting an AiTM proxy or device-code flow that captures passwords, MFA codes, and session tokens. Researchers recommend FIDO2, disabling unused device-code flows, and tighter conditional access to mitigate token abuse.

🔍 William Largent frames threat hunting as a discipline akin to strategy games, where pattern recognition, prediction, and spotting feints reveal an adversary's intent. Cisco Talos warns of a growing Platform-as-a-Proxy (PaaP) tactic in which attackers weaponize legitimate SaaS notification pipelines such as GitHub and Jira to deliver authenticated phishing that circumvents SPF, DKIM, and DMARC. Because users habitually trust system-generated alerts, defenders should adopt zero‑trust controls, ingest SaaS API logs into SIEMs, and require out‑of‑band verification for high-risk actions.

🔒 Microsoft Incident Response researchers detail a Storm-2755 campaign that used malvertising and SEO poisoning to phish Canadian users and capture OAuth tokens and credentials via adversary-in-the-middle (AiTM) proxying. The actor replayed tokens (notably using the Axios/1.7.9 user-agent) to hijack authenticated sessions and bypass non-phishing-resistant MFA. Compromised accounts were used to search for payroll and HR data, create hidden inbox rules, and in some cases directly modify Workday payment information, resulting in at least one confirmed payroll diversion. Microsoft urges immediate token revocation, removal of malicious inbox rules, and adoption of phishing-resistant MFA and device-based conditional access.

🎟️ Scammers are exploiting BTS's ARIRANG world tour pre-sales by cloning official ticket pages for multiple countries, creating at least 10 fraudulent domains observed in early April. These lookalike sites replicate the purchase flow and pressure fans into instant payments — in Brazil many victims are urged to pay via PIX, sending funds to mule accounts that are difficult to recover. To avoid fraud, fans should use only the official tour page, verify domains, confirm country-specific sales formats, and contact banks immediately if scammed. Enable banking alerts and use security software that blocks phishing sites.

🔒 Google Threat Intelligence Group warns that UNC6783, a financially motivated cluster possibly tied to the 'Raccoon' persona, is targeting business process outsourcers (BPOs) and large enterprises via live chat social engineering. The campaign directs employees to spoofed Okta login pages hosted on Zendesk-like domains such as [.]zendesk-support[.]com and uses a phishing kit that steals clipboard contents to bypass MFA and enroll attacker devices for persistence. GTIG also observed fake security updates delivering remote access malware and the use of Proton Mail to deliver ransom notes. Organizations should deploy phishing-resistant MFA like FIDO2 keys, monitor live chat, block unauthorized domains and audit new MFA enrollments.

🔐 Google warns that UNC6783 is compromising business process outsourcing (BPO) providers to steal corporate support tickets and other sensitive data for extortion. Attackers use social engineering, live-chat phishing, and spoofed Zendesk-style domains plus fake Okta login pages; observed phishing kits can exfiltrate clipboard contents to bypass MFA and register devices. The group also distributes fake security updates to deliver remote access malware and then contacts victims via ProtonMail; Google recommends deploying FIDO2 keys, monitoring live chat, blocking spoofed domains, and auditing MFA enrollments.

🔒 Telehealth offers fast, convenient access to care but creates persistent medical records that are highly valuable to criminals. Stolen health data — from diagnoses and prescriptions to insurance IDs and test results — often fetches far more than payment or social-login credentials and enables extortion, fraud, and identity theft. The rise of AI-driven fake clinics and diagnostic tools makes realistic phishing and data-harvesting sites easier to create. Protect yourself by using a dedicated medical email, avoiding social sign-in, enabling 2FA, using clinic-provided encrypted portals, and keeping health devices patched.

🔔 Cisco Talos observed a rise in campaigns that weaponize SaaS notification pipelines in collaboration platforms to deliver phishing and credential‑harvesting lures. Attackers embed malicious content in GitHub commit messages and in user‑configurable Jira project fields so automated notifications, signed by the platforms, bypass SPF, DKIM, and DMARC checks. Talos describes this as a Platform‑as‑a‑Proxy (PaaP) abuse and recommends moving to Zero‑Trust, instance‑level verification, and API telemetry to detect and block these attacks.

🔒 Microsoft Defender Security Research describes an AI-enabled campaign that abused the OAuth Device Code flow to compromise organizational accounts at scale. Actors used generative AI to craft hyper-personalized lures and automated backend infrastructure (including Railway.com and other PaaS) to generate dynamic device codes at click time, defeating the standard 15-minute expiry. The activity is linked to the PhaaS toolkit EvilToken and shows a marked escalation in automation and scale versus earlier device code phishing campaigns. Post-compromise actions focused on device registration, Microsoft Graph reconnaissance, malicious inbox rules, and email exfiltration.

🔒 Fortinet FortiGuard Labs reports DPRK-linked actors using GitHub as command-and-control infrastructure in multi-stage LNK-based phishing attacks targeting South Korea. Obfuscated Windows shortcut files drop a decoy PDF and a silent PowerShell script that performs anti-analysis checks, extracts a VBScript, and creates persistence via a scheduled task running every 30 minutes. The script profiles hosts, exfiltrates the data to a GitHub repo under an account such as 'motoralis' with a hard-coded token, and retrieves additional modules or commands from files in the repository to maintain control.

🛡️ Fortinet reports a DPRK-linked espionage campaign leveraging weaponized Windows shortcut (.LNK) files and GitHub repositories as command-and-control channels to target South Korean organizations. The attackers rely on multi-stage PowerShell scripts, progressively embedding decoding functions and encoded payloads inside LNK arguments to evade detection. This approach reflects a living off the land strategy that abuses native Windows utilities and legitimate services.

🚨 Scammers are sending fake "Notice of Default" traffic violation texts impersonating state courts and urging recipients to scan an embedded QR code to pay a $6.99 balance. Scanning the code leads to an intermediary site with a CAPTCHA, then redirects to phishing pages posing as state DMVs that harvest personal and credit card data. These campaigns have targeted multiple states; ignore unexpected payment texts and never provide payment details to unknown senders.

🔐 Device-code phishing attacks that exploit the OAuth 2.0 Device Authorization Grant flow have surged sharply this year, driven by commodity phishing kits. Researchers report a 37.5x increase in detected pages and identify at least 11 kits, with the PhaaS offering EvilTokens the most prominent. These kits mimic legitimate SaaS flows, use anti-bot protections and cloud hosting, and trick victims into entering device codes that grant attackers valid access and refresh tokens. Security teams are advised to disable unused device-code flows and monitor authentication logs and sessions closely.

🔍 Abnormal researchers uncovered a targeted credential theft campaign active from November 2025 to March 2026 that focused on C‑suite and senior personnel across more than 20 industry verticals. The operation was powered by a previously undocumented phishing-as-a-service platform, Venom, and used SharePoint-themed lures with embedded QR codes. The phishing emails employed randomized HTML, fabricated multi-message threads and persona spoofing to evade detection and isolate human targets. Attackers used both AiTM relays and Microsoft’s device code flow to bypass MFA and achieve persistent access.

🔒 The Talos Threat Source newsletter warns that business email compromise (BEC) attacks have been democratised by AI, enabling attackers to cheaply and rapidly craft convincing payment requests that target small community organisations, charities, and businesses. Attackers can automate reconnaissance and generate tailored messages referencing projects, tone, and terminology. Defenders should verify unexpected payment requests via independent channels, enforce procurement controls, and increase awareness. The briefing also flags an automated credential-harvesting campaign exploiting React2Shell in Next.js applications that risks wide-scale token and key theft.

🤖 Microsoft describes a shift from AI as a tool to AI as an embedded attack surface, accelerating tempo, precision, and scale across reconnaissance, malware development, and post-compromise activity. AI-enhanced phishing campaigns now report click-through rates near 54% versus roughly 12% for traditional campaigns, a 450% increase. The blog highlights Tycoon2FA, tied to Storm-1747, as an industrialized, subscription-based phishing ecosystem that automated MFA bypass at scale. Microsoft’s Digital Crimes Unit disrupted the operation, seizing 330 domains with Europol and partners, and urges organizations to prioritize agent inventory, agentic accountability, and lifecycle-integrated intelligence and defenses.

🔍 Check Point Research reports that cyber criminals systematically prepared for Tax Season 2026, registering hundreds of tax‑related domains each month from September 2025 through February 2026. These prebuilt infrastructures fueled phishing campaigns, fraudulent tax portals and malware designed to harvest credentials and financial data. Organizations and individuals should prioritize domain monitoring, DNS filtering, email authentication and targeted employee training to reduce exposure.