All news with #phishing tag

⚠️ Sekoia researchers uncovered a phishing-as-a-service toolkit named EvilTokens that abuses Microsoft's device code authentication flow to capture valid access tokens by tricking victims into entering device codes on official Microsoft login pages. The kit bundles phishing lures, AI-driven automation, inbox harvesting and post-compromise modules to weaponize access. Operators distribute the service through Telegram bots and channels, and Sekoia observed activity since at least mid-February targeting countries including the US, Australia, Canada, France, India, Switzerland and the UAE.

⚠️ Meta-owned WhatsApp said it alerted about 200 users, largely in Italy, who were fooled into installing a counterfeit iOS app infected with spyware. The company logged affected accounts out, advised victims to uninstall the malicious app and reinstall the official WhatsApp client, and said it is taking action against Italian firm Asigint, an alleged SIO subsidiary. The alert follows earlier campaigns targeting users with Graphite and chained zero-day exploits in 2025, highlighting persistent misuse of surveillance tools in Europe.

⚠️ EvilTokens is a commercially sold phishing kit that abuses the device code authorization flow to hijack Microsoft accounts and enable advanced BEC operations. Distributed via Telegram, campaigns deliver document lures with QR codes or links to phishing templates impersonating trusted services and workflows. Victims are prompted to authenticate on the real Microsoft device login, producing short-lived access tokens and refresh tokens that give attackers immediate and persistent access. Sekoia reported global campaigns and published IoCs and YARA rules; the author says support for Gmail and Okta is planned.

📢 CERT-UA disclosed a phishing campaign in which attackers impersonated the agency to distribute a remote access trojan, AGEWHEEZE, via a password-protected ZIP hosted on Files.fm sent March 26–27, 2026. Emails, some originating from incidents@cert-ua.tech, targeted state bodies, medical centers, security firms, educational institutions, financial organizations and developers, urging installation of a purported "protection tool." The Go-based RAT communicates with 54.36.237.92 over WebSockets, supports extensive remote commands and persistence mechanisms, but CERT-UA reports only a handful of personal device infections and provided remediation assistance.

🔐 Venom Stealer is a malware-as-a-service platform that automates credential harvesting and continuous data exfiltration, marketed on cybercrime forums with subscriptions from $250/month to $1,800 for lifetime access. Researchers at BlackFog report the product integrates ClickFix social-engineering templates into its operator panel, enabling attackers to orchestrate fake Cloudflare CAPTCHAs, update prompts and other lures that trick users into executing payloads. Once active the stealer persistently monitors Chromium- and Firefox-based stores for new credentials, harvests cookies, autofill, browsing history and wallet data, and forwards information to GPU-backed cracking and automated transfer systems.

🛡️ A coordinated phishing campaign attributed to Brazilian operators known as Augmented Marauder and Water Saci is targeting Spanish-speaking users across Latin America and Europe to deliver Windows banking trojans, notably Casbaneiro, using a secondary spreader named Horabot. The attack begins with court-summons-themed emails containing password‑protected PDFs that link to ZIP archives which deploy HTA, VBS, and AutoIt loaders to unpack encrypted payloads. Researchers at BlueVoyant say the threat actor combines WhatsApp automation, ClickFix social engineering, and an email‑hijacking engine that forges bespoke PDFs via a remote API and abuses compromised Outlook accounts to forward tailored phishing messages.

📩 AWS announced AWS End User Messaging Notify, a service that lets developers send one-time passcodes (OTPs) within minutes using phone numbers and sender IDs owned by AWS. Developers configure a brand name, enable SMS, voice, or both, and use ready-to-use templates to send messages to over 200 countries. Every API call includes built-in SMS fraud protection via AWS End User Messaging SMS Protect at no extra cost, and spend limits can pause delivery if thresholds are met. Notify is available in all AWS Regions where End User Messaging is offered.

🔍Phantom Stealer, a .NET-based infostealer sold as part of a commercial cybercrime toolkit, harvests browser credentials, cookies, saved passwords, autofill and payment card details as well as messaging and email session data from infected systems. Group-IB observed a sustained phishing campaign between November 2025 and January 2026 that targeted logistics, manufacturing and technology organizations across Europe in five waves. Emails impersonated an equipment trading company and carried archive attachments with obfuscated JavaScript droppers or malicious executables. Indicators such as SPF failures, missing DKIM, reused templates and consistent spelling mistakes pointed to automated, template-driven stealer-as-a-service activity, with stolen data exfiltrated via messaging platforms, SMTP and FTP.

🛡️ Microsoft Defender Experts (DEX) observed a late-February 2026 campaign leveraging WhatsApp messages to deliver malicious Visual Basic Script (VBS) files. Executing the VBS creates hidden folders under C:\ProgramData, drops renamed legitimate Windows utilities, and uses them to download additional payloads from cloud services such as AWS, Tencent Cloud, and Backblaze B2. Attackers escalate privileges, tamper with UAC and registry settings, and install unsigned MSI packages to establish persistent remote access. Microsoft recommends hardening script hosts, monitoring cloud traffic and registry changes, and enabling Defender protections.

🧾Proofpoint researchers reported a surge of tax-themed campaigns in early 2026 delivering malware, remote access tools, fraud schemes and credential-phishing. The advisory published on March 30 notes increasing use of remote monitoring and management (RMM) tools and activity from newly identified threat actors. Attacks include BEC requests for W-2/W-9 forms and fake login pages targeting W-8BEN updates. Organisations are advised to educate users and monitor for topical tax lures during filing periods.

📞 The Information Commissioner’s Office (ICO) fined Birmingham-based monitored alarm provider TMAC £100,000 after staff used false identities on marketing sales calls and the firm made over 260,000 calls to numbers registered on the Telephone Preference Service. The ICO said TMAC deliberately targeted individuals over 60 between February and September 2024, impersonating local crime and fire prevention initiatives to trick recipients. The regulator stressed these actions breached the Privacy and Electronic Communications Regulations and highlighted the importance of public reporting in enabling enforcement.

🚨 A large-scale campaign is abusing GitHub Discussions to post fake Visual Studio Code security advisories that trick developers into downloading malware. The spam posts use realistic titles, fabricated CVE identifiers, impersonated maintainers, and mass tagging to trigger email notifications to watchers. Links often point to external hosts (commonly Google Drive) that redirect to a domain running JavaScript reconnaissance which profiles victims and forwards data to a command-and-control server. Security vendor Socket says the activity is automated and coordinated across thousands of repositories.

🔒 Push Security has observed a coordinated wave of Adversary-in-the-Middle (AiTM) phishing pages specifically targeting TikTok for Business accounts. The malicious domains were registered on March 24 in a rapid, nine-second window and are hosted behind Cloudflare using Nicenic International Group as registrar. Victims are redirected through legitimate Google Cloud Storage links, presented with TikTok- or Google-themed content, and ultimately confronted with a reverse-proxy AiTM login flow after completing an initial information form.

🔒 Push Security warns of an adversary-in-the-middle (AitM) phishing campaign that seizes control of TikTok for Business accounts by presenting victims with malicious credential-capture pages after a Cloudflare Turnstile check. Lures include lookalike TikTok for Business and fake Google Careers pages, sometimes offering scheduled calls to gain trust. The attackers host pages on multiple domains and use the Turnstile challenge to evade automated scanners. Separately, WatchGuard reported SVG attachments used to deliver a Go-based malware artifact linked to BianLian-style activity.

🔒 The Dutch National Police disclosed a security breach stemming from a successful phishing attack, saying the incident was detected quickly and access was blocked by its Security Operations Center. Officials describe the impact as limited and state that citizens' data and investigative information were not accessed. A criminal investigation and an internal probe into affected systems are ongoing.

🔒 Threat actors are targeting TikTok for Business accounts with Cloudflare-hosted phishing pages that evade bot detection by using Google Storage redirects and a Cloudflare Turnstile check. Victims first see fake forms that request business-email validation and are then shown a reverse-proxy login page that captures credentials and session cookies, allowing account takeover even with 2FA enabled. Push Security links the activity to a campaign that previously targeted Google Ad Manager and notes multiple NiceNIC-registered domains hosted in the same Google Storage bucket. Users should verify domains, treat unsolicited invites cautiously, and prefer passkeys for high-value accounts.

🔒 Threat actors are exploiting interest in OpenClaw with a GitHub phishing campaign that lures developers with fake 'CLAW' token airdrops promising thousands of dollars. Attackers open issues, tag developers, and redirect victims to cloned sites that prompt users to connect their crypto wallets. Researchers at OX Security found obfuscated wallet‑stealing code and a C2 server used to collect addresses and drain funds. Recommended actions include blocking the phishing domain and revoking suspicious wallet approvals.

⚠️ The UK's NCA, alongside the National Federation of Builders (NFB), has warned finance and accounts payable teams in construction about a rise in invoice fraud, a form of BEC that cost victims almost £4m in September 2025. Fraudsters impersonate or hijack supplier emails to change bank details on invoices, exploiting complex subcontractor networks and insecure email channels. The campaign urges staff to verify invoice changes by calling suppliers, delay payments until details are confirmed, and strengthen IT controls such as strong passwords, multi‑factor authentication and up‑to‑date anti‑malware.

⚠️ Kaspersky researchers have observed threat actors abusing Yandex Surveys to host phishing content and evade email filters by leveraging the platform's legitimate domain reputation. Attackers embed fraudulent pitches and malicious links in rich-text survey blocks, add official-looking logos, then hide interface elements with invisible padding; Kaspersky Premium blocked about 2,200 such messages in January and over 32,000 in February. Recipients who follow the links land on polished giveaway pages that harvest personal data, wallet addresses, or payments.

🔒 Threat actors are abusing the no-code Bubble AI app builder to host phishing pages that harvest Microsoft account credentials. Because apps are hosted under *.bubble.io, email security tools often treat the links as legitimate and fail to flag them. Kaspersky researchers found attackers use obfuscated JavaScript and Shadow DOM structures to redirect victims to Microsoft-like login forms, sometimes behind Cloudflare checks, to exfiltrate entered credentials.