Tag: Phishing

Bot her emails: most modern phishing campaigns are AI-enabled

KnowBe4 says 86% of phishing it tracked used AI, and inboxes are only the start

Hundreds of orgs compromised daily in Microsoft device code phishing attacks

Who needs MFA when you've got EvilTokens?

Ericsson blames vendor vishing slip-up for breach exposing thousands of records

Crooks used simple phone scam to compromise vendor account, spilling personal and financial data belonging to more than 15,000 people

Crims hit the easy button for Scattered-Spider style helpdesk scams

Teach a crook to phish…

REG AD

Crims compromised energy firms' Microsoft accounts, sent 600 phishing emails

Logging in, not breaking in

Don't click on the LastPass 'create backup' link - it's a scam

Phishing campaign tries to reel in master passwords

Chinese spies used Maduro's capture as a lure to phish US govt agencies

What's next for Venezuela? Click on the file and see

Microsoft taps UK courts to dismantle cybercrime host RedVDS

Redmond says cheap virtual desktops powered a global wave of phishing and fraud

Google sues 25 China-based scammers behind Lighthouse 'phishing for dummies' kit

600+ phishing websites and 116 of these use a Google logo

Illustration of someone trying to avoid being caught on giant fishing hooks

Phishers try to lure 5K Facebook advertisers with fake business pages

One company alone was hit with more than 4,200 emails

A datacenter worker sitting down looking dejected

Attackers targeting unpatched Cisco kit notice malware implant removal, install it again

PLUS: Cyber-exec admits selling secrets to Russia; LastPass isn't checking to see if you're dead; Nation-state backed Windows malware; and more

Iran's MuddyWater wades into 100+ government networks in latest spying spree

Group-IB says Tehran-linked crew used hijacked mailbox and VPN to sling phishing emails across Middle East

REG AD

Cybersecurity Month

AI makes phishing 4.5x more effective, Microsoft says

And potentially 50 times more profitable

Cybersecurity Month

Chinese phishing kit helps scammers who send fake texts impersonate TikTok, Coinbase, others

Researchers tracking 2,158 domains hosting YYlaiyu phishing pages

New string of phishing attacks targets Python developers

If you recently got an email asking you to verify your credentials to a PyPI site, better change that password

Microsoft blocks bait for ‘fastest-growing’ 365 phish kit, seizes 338 domains

Redmond names alleged ringleader, claims 5K+ creds stolen and $100k pocketed

Hijacker helper VoidProxy boosts Google, Microsoft accounts on demand

Okta uncovers new phishing-as-a-service operation with 'multiple entities' falling victim

ZipLine attack uses 'Contact Us' forms, White House butler pic to invade sensitive industries

'Many dozens' targeted in ongoing campaign, CheckPoint researcher tells The Reg

guy in suit talks on phone outside office

'Impersonation as a service' the next big thing in cybercrime

Underground forums now recruiting English-speaking social engineers

Mozilla flags phishing wave aimed at hijacking trusted Firefox add-ons

Devs told to exercise 'extreme caution' with emails disguised as account update prompts

Massive spike in use of .es domains for phishing abuse

¡Cuidado! Time to double-check before entering your Microsoft creds

ChatGPT creates phisher’s paradise by recommending the wrong URLs for major companies

Crims have cottoned on to a new way to lead you astray

That WhatsApp from an Israeli infosec expert could be a Iranian phish

Charming Kitten unsheathes its claws and tries to catch credentials

DeepSeek installer or just malware in disguise? Click around and find out

'BrowserVenom' is pure poison

Hire me! To drop malware on your computer

FIN6 moves from point-of-sale compromise to phishing recruiters

Darcula adds AI to its DIY phishing kits to help would-be vampires bleed victims dry

Because coding phishing sites from scratch is a real pain in the neck

Scattered Spider stops the Rickrolls, starts the RAT race

Despite arrests, eight-legged menace targeted more victims this year

Infosec pro Troy Hunt HasBeenPwned in Mailchimp phish

16,000 stolen records pertain to former and active mail subscribers

That 'angry guest' email from Booking.com? It's a scam, not a 1-star review

Phishers check in, your credentials check out, Microsoft warns

Rather than add a backdoor, Apple decides to kill iCloud encryption for UK peeps

Plus: SEC launches new crypto crime unit; Phishing toolkit upgraded; and more

If you dread a Microsoft Teams invite, just wait until it turns out to be a Russian phish

Roses aren't cheap, violets are dear, now all your access token are belong to Vladimir

India's banking on the bank.in domain cleaning up its financial services sector

With over 2,000 banks in operation, a domain only they can use has potential to make life harder for fraudsters

REG AD

DeepSeek's iOS app is a security nightmare, and that's before you consider its TikTok links

PLUS: Spanish cops think they've bagged NATO hacker; HPE warns staff of data breach; Lazy Facebook phishing, and more!

Google takes action after coder reports 'most sophisticated attack I've ever seen'

Latest trope is tricky enough to fool even the technical crowd… almost

Europe coughs up €400 to punter after breaking its own GDPR data protection rules

PLUS: Data broker leak reveals extent of info trading; Hot new ransomware gang might be all AI, no bark; and more

It's only a matter of time before LLMs jump start supply-chain attacks

'The greatest concern is with spear phishing and social engineering'

REG AD

Slow Down road sign with cloudy background

Don't fall for a mail asking for rapid Docusign action – it may be an Azure account hijack phish

Recent campaign targeted 20,000 folk across UK and Europe with this tactic, Unit 42 warns

Image by Arak Rattanawijittakorn http://www.shutterstock.com/gallery-2364116p1.html

Phishers cast wide net with spoofed Google Calendar invites

Not that you needed another reason to enable the 'known senders' setting

Solana blockchain's popular web3.js npm package backdoored to steal keys, funds

Damage likely limited to those running bots with private PKI access

Imaake http://www.shutterstock.com/gallery-628543p1.html

Russian spies may have moved in next door to target your network

Plus: Microsoft seizes phishing domains; Helldown finds new targets; Illegal streaming with Jupyter, and more

Helpline for Yakuza victims fears it leaked their personal info

Organized crime types tend not to be kind to those who go against them, so this is nasty

Don't open that 'copyright infringement' email attachment – it's an infostealer

Curiosity gives crims access to wallets and passwords

Russian spies use remote desktop protocol files in unusual mass phishing drive

The prolific Midnight Blizzard crew cast a much wider net in search of scrummy intel

ESET denies it was compromised as Israeli orgs targeted with 'ESET-branded' wipers

Says 'limited' incident isolated to 'partner company'

Microsoft says more ransomware stopped before reaching encryption

Volume of attacks still surging though, according to Digital Defense Report

US and UK govts warn: Russia scanning for your unpatched vulnerabilities

Also, phishing's easier over the phone, and your F5 cookies might be unencrypted, and more

Cybersecurity Month

OpenAI says Chinese gang tried to phish its staff

Claims its models aren't making threat actors more sophisticated - but is helping debug their code

Illustration of location tracking in a city

If you're holding important data, Iran is probably trying spearphish it

It's election year for more than 50 countries and the Islamic Republic threatens a bunch of them

Mind your header! There's nothing refreshing about phishers' latest tactic

It could lead to a costly BEC situation

Kremlin-linked COLDRIVER crooks take pro-democracy NGOs for phishy ride

The latest of many attempts to stifle perceived threats to Putin's regime

Novel attack on Windows spotted in phishing campaign run from and targeting China

Resources hosted at Tencent Cloud involved in Cobalt Strike campaign

This uni thought it would be a good idea to do a phishing test with a fake Ebola scare

Needless to say, it backfired in a big way

REG AD

Iran named as source of Trump campaign phish, leaks

Political stirrer Roger Stone may have been a weak link after personal emails cracked

Illustration of Iran's flag, a computer mouse, and some code

Google raps Iran's APT42 for raining down spear-phishing attacks

US politicians and Israeli officials among the top targets for the IRGC’s cyber unit

Orion SA says scammers conned company out of $60 million

Incident sounds like a BEC fraud targeting an unwitting staffer

Small CSS tweaks can help nasty emails slip through Outlook's anti-phishing net

A simple HTML change and the warning is gone!

Users call on Microsoft to update Outlook's friendly name feature

That one weird thing in Outlook that gives phishers and scammers an in to an inbox

Malware Month

Illustration of a distorted digital skull

'LockBit of phishing' EvilProxy used in more than a million attacks every month

Leaves a trail of ransomware infections, data theft, business email compromise in its wake

Cybercrooks spell trouble with typosquatting domains amid CrowdStrike crisis

Latest trend follows various malware campaigns that began just hours after IT calamity

Singapore's banks to ditch texted one-time passwords

Accessibility be damned, preventing phishing is the priority

Cops cuff 22-year-old Brit suspected of being Scattered Spider leader

Spanish plod make arrest at airport before he jetted off to Italy

Two cuffed over suspected smishing campaign using 'text message blaster'

Thousands of dodgy SMSes bypassed network filters in UK-first case, it is claimed

Google guru roasts useless phishing tests, calls for fire drill-style overhaul

Current approaches aren't working and demonize security teams

US charges Iranians with cyber snooping on government, companies

Their holiday options are now far more restricted

Fraudsters abused Apple Stores' third-party pickup policy to phish for profits

Scam prevalent across Korea and Japan actually had some winners

Metropolitan police image via Shutterstock

Prolific phishing-made-easy emporium LabHost knocked offline in cyber-cop op

Police emit Spotify Wrapped-style videos to let crims know they're being hunted

X fixes URL blunder that could enable convincing social media phishing campaigns

Poorly implemented rule allowed miscreants to deceive users with trusted URLs

China encouraged armed offensive against Myanmar government to protest proliferation of online scams

Report claims Beijing is most displeased by junta's failure to address slave labor scam settlements

As if working at Helldesk weren't bad enough, IT helpers now targeted by cybercrims

Wave of Okta attacks mark what researchers are calling the biggest security trend of the year

Iranian charged over attacks against US defense contractors, government agencies

$10M bounty for anyone with info leading to Alireza Shafie Nasab's identification or location

Crooks hook hundreds of exec accounts after phishing in Azure C-suite pond

Plenty of successful attacks observed with dangerous follow-on activity

AI + ML

Deepfake CFO tricks Hong Kong biz out of $25 million

Recordings of past vidchats suspected as source of fakery – so there's another class of data you need to lock down

BreachForums admin 'Pompourin' sentenced to 20 years of supervised release

Also: Another UEFI flaw found; Kaspersky discovers iOS log files actually work; and a few critical vulnerabilities

ShinyHunters chief phisherman gets 3 years, must cough up $5M

Sebastien Raoult developed various credential-harvesting websites over more than 2 years

Cybercrooks book a stay in hotel email inboxes to trick staff into spilling credentials

Research highlights how major attacks like those exploiting Booking.com are executed

Hershey phishes! Crooks snarf chocolate lovers' creds

Stealing Kit Kat maker's data?! Give me a break

Microsoft unveils shady shenanigans of Octo Tempest and their cyber-trickery toolkit

Gang thought to be behind attack on MGM Resorts has a skillset larger than most cybercrime groups in existence

Telcos should compensate phished subscribers, suggests Singapore

Regulator reckons letting scam texts through is a culpable act

Pro-Russia group exploits Roundcube zero-day in attacks on European government emails

With this zero-day, researchers say the 'scrappy' group is stepping up its operations

D-Link clears up 'exaggerations' around data breach

Who knew 3 million actually means 700 in cybercrime forum lingo?

South Korea accuses North of Phish and Ships attack

Kim Jong-un looks at industry's progress with green eyes, says South Korea's spy agency

Singapore may split liability for phishing losses between banks and victims

Won't someone please think of the banks?

More Okta customers trapped in Scattered Spider's web

Oktapus phishing campaign criminals are back in action

US government to investigate China's Microsoft email breach

PLUS: Phishing campaign targets the C-suite; Cybercrime arrests in EU and Africa; and more

INTERPOL shutters '16shop' phishing-as-a-service outfit

Alleged administrator cuffed in Indonesia, associate arrested in Japan, accused of selling fake Amazons for $60

Two pilots operating on the controls of a commercial jet aircraft

American and Southwest Airlines pilot candidate data exposed

Time to start practising identity protection

North Korea created very phishy evil twin of Naver, South Korea's top portal

Think of it as a fake Google tuned for credential capture and you'll understand why authorities want to kill it

Posing as journalists, Pink Drainer pilfers $3.3M in crypto

First the interview, then the phishing attack

You might have been phished by the gang that stole North Korea’s lousy rocket tech

US, South Korea, warn 'Kimsuky' is a very sophisticated social engineer

Ads for lucrative jobs in Asia fail to mention chance of slavery as crypto-scammer

FBI warns jobseekers to be very skeptical of working holidays in Cambodia

Illustration of Ukraine coming under attack

Russia's APT28 targets Ukraine government with bogus Windows updates

Nasty emails designed to infect systems with info-stealing malware

AI + ML

ChatGPT fans need 'defensive mindset' to avoid scammers and malware

Palo Alto Networks spots suspicious activity spikes such as naughty domains, phishing, and worse

Someone doing their taxes at their desk in a bare-brick office

April brings tulips, taxes ... and phisherfolk scammers

Vietnam threatens to cut off two million mobile subscribers

Police pounce on 'pompompurin' – alleged mastermind of BreachForums

SVB collapse's mix of money, urgency and uncertainty makes it irresistible to scammers

Refreshed from its holiday, Emotet has gone phishing

Namecheap admits 'unauthorized emails' pwning its customers

Reddit reveals security incident that looks more SNAFU than TIFU

Attackers abuse Microsoft’s 'verified publisher' status to steal data

Patches

Microsoft to enterprises: Patch your Exchange servers

UK Cyber Security Centre's scary new story: One phish, two phish, Russia phish, Iran phish

IT security teams, business execs still not on same page

World Cup phishing emails spike in Middle Eastern countries

Windows breaks under upgraded IceXLoader malware

Robin Banks crooks back at the table with fresh phish from Russia

Microsoft hits the switch on password-free smartphone authentication

Multi-factor auth fatigue is real – and it's why you may be in the headlines next

Dropbox admits 130 of its private GitHub repos were copied after phishing attack

Gone phishing: UK data watchdog fines construction biz £4.4m for poor infosec hygiene

DHL named most-spoofed brand in phishing

Composite image of a college graduate wearing a mortarboard in front of a $100 bill

FBI: Looking for Biden's student loan forgiveness? Watch out for these scams

Phishing works so well crims won't bother with deepfakes, says Sophos chap

US election workers slammed with phishing, malware-stuffed emails

Networks

FCC takes on robotexts. Good news if your dad thinks IRS gives SMS rebates

The web's cruising at 13 million new and nefarious domain names a month

Microsoft says it's boosted phishing protection in Windows 11 22H2

Cisco: Yes, Yanluowang leaked our data. No, it's not serious

Chinese-linked cyber crims nab $529 million from Indian nationals

Dump these small-biz routers, says Cisco, because we won't patch their flawed VPN

Hotel manager shocked sitting in front of the monitor of computer.

Cyberattack brings down InterContinental Hotels' booking systems

doordash_dasher_on_bike_san_francisco_street

Now Oktapus gets access to some DoorDash customer info via phishing attack

Twilio, Cloudflare just two of 135 orgs targeted by Oktapus phishing campaign

Hiding a phishing attack behind the AWS cloud

Imagineerinx http://www.shutterstock.com/gallery-1743821p1.html

After 7 years, long-term threat DarkTortilla crypter is still evolving

Reckon Russian spies are lurking in your inbox? Check for these IOCs, Microsoft says

Cisco admits corporate network compromised by gang with links to Lapsus$

Cloudflare: Someone tried to pull the Twilio phishing tactic on us too

Twilio customer data exposed after its staffers got phished

Decentralized IPFS networks forming the 'hotbed of phishing'

Cyber-mercenaries for hire represent shifting criminal business model

This big phish can swim around MFA, says Microsoft Security

Personal Tech

Is this you in this explicit snap? No, it's just Discord phishing

AstraLocker ransomware reportedly closes doors to pursue cryptojacking

Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks

Europol arrests nine suspected of stealing 'several million' euros via phishing

Networks

Illustration of files moving from someone's laptop to the cloud

Zscaler bulks up AI, cloud, IoT in its zero-trust systems

Voicemail phishing emails steal Microsoft credentials

Interpol anti-fraud operation busts call centers behind business email scams

Heineken says there’s no free beer, warns of phishing scam

Emotet malware gang re-emerges with Chrome-based credit card heistware

Facebook phishing campaign nets millions in IDs and cash

Now Windows Follina zero-day exploited to infect PCs with Qbot

Microsoft seizes 41 domains tied to 'Iranian phishing ring'

Costa Rican government held up by ransomware … again

Watch out for phishing emails that inject spyware trio

Patches

Ransomware attack sends US county back to 1977

Suspected phishing email crime boss cuffed in Nigeria

It's 2022 and there are still malware-laden PDFs in emails exploiting bugs from 2017

Someone working on something nefarious with a spotlight on them

Hot glare of the spotlight doesn’t slow BlackByte ransomware gang

Facebook rated least safe e-commerce option in government rankings

Shopping for malware: $260 gets you a password stealer. $90 for a crypto-miner...

Anatomy of a campaign to inject JavaScript into compromised WordPress sites

Phishing operation hits NHS email accounts to harvest Microsoft credentials

Intuit sued over alleged cryptocurrency thefts via Mailchimp intrusion

Russian-linked Shuckworm crew ramps up Ukraine attacks

Criminals adopting new methods to bypass improved defenses, says Zscaler

US warns North Korean Lazarus gang rising against cryptocurrency outfits

image by Alexander_P http://www.shutterstock.com/gallery-493324p1.html

Cybercriminals do their homework for latest banking scam

Attackers exploit Spring4Shell flaw to let loose the Mirai botnet

Broader investment in cybersecurity beginning to pay dividends

Bank had no firewall license, intrusion or phishing protection – guess the rest

Mailchimp: Crook stole cryptocurrency clients' mailing-list subscriber info

Google: Russian credential thieves target NATO, Eastern European military

Ukraine security agency shutters Russian disinformation bot farms

Cybercrooks target students with fake job opportunities

IcedID malware, in the hijacked email thread, with the insecure Exchange servers

China APT group using Russia invasion, COVID-19 in phishing attacks

We blocked North Korea's Chrome exploit, says Google

How CAPTCHAs can cloak phishing URLs in emails

The Windows malware on Ukraine CERT's radar

Cloudflare buys anti-phishing business Area 1 for $162m

Microsoft offers defense against 'ice phishing' crypto scammers

Singapore introduces potent anti-scam measures

Phishing kits' use of man-in-the-middle reverse proxies is growing, warns Proofpoint

Singapore gives banks two-week deadline to fix SMS security

Customers waiting to be served in OCBC Bank in Singapore on 18 April, 2015

Singapore monetary authority threatens action on bank over widespread phishing scam

European Cybercrime Centre confident it's kicked credit card crims – again

Google advises passwords are good, spear phishing is bad, and free clouds get attacked

Centre for Computing History apologises to customers for 'embarrassing' breach

Unpatched flaw 'weaponises' Apple AirTags to turn them into the phisherman's friend

Illustration of an email being hooked in a phishing campaign

Mafia works remotely, too, it seems: 100+ people suspected of phishing, SIM swapping, email fraud cuffed

A Boeing 777 airliner on landing. Pic: Shutterstock

Aviation-themed phishing campaign pushed off-the-shelf RATs into inboxes for 5 years

Caïn, a sculpture by Henry Vidal, epic facepalm

Brits open doors for tech-enabled fraudsters because they 'don't want to seem rude'

Chipotle workers assembling customers' burritos

Spam is Chipotle's secret ingredient: Marketing email hijacked to dish up malware

Russian gang behind SolarWinds hack returns with phishing attack disguised as mail from US aid agency

Train operator phlunks phishing test by teasing employees with non-existent COVID bonus

Scammers tried slurping folks' login details through 70,000 coronavirus-themed phishing URLs during 2020

Days before the US election, phishers net $2.3m from Wisconsin Republicans

Software

Your anti-phishing test emails may be too easy to spot. NIST has a training tool for that

You have to be very on-trend as a cybercrook – hence why coronavirus-themed phishing is this year's must-have look

Things are getting back to normal: Chinese hackers revert to bugging Tibetans after brief Euro campaign

Doctor, doctor, got some sad news, there's been a bad case of hacking you: UK govt investigates email fail

Twitter says spear-phishing attack hooked its staff and led to celebrity account hijack

UK intel committee on Russia: Social media firms should remove state disinformation. What was that, MI5? ████████?

Software

Southern Water to splash £50m on IT services to purify systems of planning, governance and internal controls

Microsoft sues coronavirus phishing spammers to seize their domains amid web app attacks against Office 354.5

Someone peeking over their desk out of sight

Hundreds of forgotten corners of mega-corp websites fall into the hands of spammers and malware slingers

Your 2.3m Instagram fans won't stop the FBI... Web star accused of plotting to launder millions from cyber-crime

Honeypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute

Australian prime minister scott morrison

Australian PM says nation under serious state-run 'cyber attack' – Microsoft, Citrix, Telerik UI bugs 'exploited'

Anatomy of a business email scam: FBI dossier details how fraudster pocketed $500k+ by redirecting payments

Cybercrooks tend to prefer Google-branded phishing to Microsoft-flavoured lures

Sunnylvsfjorden Fjord in Norway with a cruise ship

There's Norway you're going to believe this: Government investment fund conned out of $10m in cyber-attack

UBON RATCHATHANI, THAILAND - JANUARY 25, 2015: Mario pixel art printed on poster tulpahn / Shutterstock.com

Mama mia! Nintendo in need of a plumber after leak sprays N64, GameCube, Wii code

worker sceptical about email she's received

Something a bit phishy in your inbox? You can now email suspected frauds straight to Blighty's web takedown cops

American oil drills set in front of $100 bills

Weeks before US oil contract prices went negative, a spear-phishing crew went after oil firms. What did they get?

Stealing top secret folders- photo from shutterstock

You know all those stories of leaky cloud buckets taken offline? Well, some may still be there, just badly hidden

No, the head of the World Health Organization has not emailed you – it's a message laced with malware

Online face mask sales scams, 400% uptick of coronavirus phishing reports: Brit cops' workload shifts online along with the nation's

Health workers are top of phishers' target lists thanks to data value