Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Credential Theft. Show all posts
phishing
Credential Theft Data Breach Data Theft Emails IP Address Microsoft Microsoft SharePoint phishing

Attackers Hijack Microsoft Email Accounts to Launch Phishing Campaign Against Energy Firms

 


Cybercriminals have compromised Microsoft email accounts belonging to organizations in the energy sector and used those trusted inboxes to distribute large volumes of phishing emails. In at least one confirmed incident, more than 600 malicious messages were sent from a single hijacked account.

Microsoft security researchers explained that the attackers did not rely on technical exploits or system vulnerabilities. Instead, they gained access by using legitimate login credentials that were likely stolen earlier through unknown means. This allowed them to sign in as real users, making the activity harder to detect.

The attack began with emails that appeared routine and business-related. These messages included Microsoft SharePoint links and subject lines suggesting formal documents, such as proposals or confidentiality agreements. To view the files, recipients were asked to authenticate their accounts.

When users clicked the SharePoint link, they were redirected to a fraudulent website designed to look legitimate. The site prompted them to enter their Microsoft login details. By doing so, victims unknowingly handed over valid usernames and passwords to the attackers.

After collecting credentials, the attackers accessed the compromised email accounts from different IP addresses. They then created inbox rules that automatically deleted incoming emails and marked messages as read. This step helped conceal the intrusion and prevented account owners from noticing unusual activity.

Using these compromised inboxes, the attackers launched a second wave of phishing emails. These messages were sent not only to external contacts but also to colleagues and internal distribution lists. Recipients were selected based on recent email conversations found in the victim’s inbox, increasing the likelihood that the messages would appear trustworthy.

In this campaign, the attackers actively monitored inbox responses. They removed automated replies such as out-of-office messages and undeliverable notices. They also read replies from recipients and responded to questions about the legitimacy of the emails. All such exchanges were later deleted to erase evidence.

Any employee within an energy organization who interacted with the malicious links was also targeted for credential theft, allowing the attackers to expand their access further.

Microsoft confirmed that the activity began in January and described it as a short-duration, multi-stage phishing operation that was quickly disrupted. The company did not disclose how many organizations were affected, identify the attackers, or confirm whether the campaign is still active.

Security experts warn that simply resetting passwords may not be enough in these attacks. Because attackers can interfere with multi-factor authentication settings, they may maintain access even after credentials are changed. For example, attackers can register their own device to receive one-time authentication codes.

Despite these risks, multi-factor authentication remains a critical defense against account compromise. Microsoft also recommends using conditional access controls that assess login attempts based on factors such as location, device health, and user role. Suspicious sign-ins can then be blocked automatically.

Additional protection can be achieved by deploying anti-phishing solutions that scan emails and websites for malicious activity. These measures, combined with user awareness, are essential as attackers increasingly rely on stolen identities rather than software flaws.


Read more »
Spearphishing Campaigns
Cloud Identity Security Credential Theft Cyber Attacks FBI cyber alert Kimsuky MFA Bypass North Korea APT QR Code Phishing Quishing Attacks Spearphishing Campaigns

FBI Flags Kimsuky’s Role in Sophisticated Quishing Attacks


 

A new warning from the US Federal Bureau of Investigation indicates that spearphishing tactics are being advanced by a cyber espionage group linked to North Korea known as Kimsuky, also known as APT43, in recent months. 

As the threat actor has increasingly turned to QR code-based attacks as a means of infiltrating organizational networks, the threat actor is increasingly using QR code-based attacks. 

There is an alert on the group's use of a technique referred to as "quishing," in which carefully crafted spearphishing emails include malicious URLs within QR codes, as opposed to links that are clickable directly in the emails.

By using mobile devices to scan the QR codes, recipients can bypass traditional email security gateways that are designed to identify and block suspicious URLs, thereby circumventing the problem. 

As a result of this gap between enterprise email defenses and personal mobile use, Kimsuky exploits the resulting gap in security to stealthily harvest user credentials and session tokens, which increases the probability of unauthorized access while reducing the chance of early detection by the security team. 

As a result of this campaign, concerns about the increasingly sophisticated sophistication of state-sponsored cyber operations have been reinforced. This is an indication that a broader shift toward more evasive and socially engineered attack methods is taking place. 

The FBI has determined Kimsuky has been using this technique actively since at least 2025, with campaigns observing that he targeted think tanks, academic institutions and both US and international government entities using spear phishing emails embedded with malicious Quick Response codes (QR codes). 

In describing the method, the bureau referred to it as "quishing," a deliberate strategy based on the notion of pushing victims away from enterprise-managed desktop systems towards networks governed by mobile devices, whose security controls are often more lax or unclear.

The Kimsuky attacker, known by various aliases, such as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, Velvet Chollima, and Emerald Sleet, is widely believed to be a North Korean intelligence agency. 

Kimsuky's phishing campaigns are documented to have been honed over the years in order to bypass email authentication measures. According to an official US government bulletin published in May 2024, the group has successfully exploited misconfigured Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies to deliver emails that falsely impersonated trusted domains to send emails that convincingly impersonated trusted domains.

In this way, they enabled their malicious campaigns to blend seamlessly into legitimate communications, enabling them to achieve their objectives. The attack chain is initiated once a target scans a malicious QR code to initiate the attack chain, that then quickly moves to infrastructure controlled by the threat actors, where preliminary reconnaissance is conducted to understand the victim's device in order to conduct the attack. 

Moreover, based on the FBI's findings, these intermediary domains are able to harvest technical information, including operating system details, browser identifiers, screen resolutions, IP addresses, and geographical indications, which allows attackers to tailor follow-up activity with greater precision. 

Thereafter, victims are presented with mobile-optimized phishing pages that resemble trusted authentication portals such as Microsoft 365, Okta, and corporate VPN login pages that appear convincingly. 

It is believed that by stealing session cookies and executing replay attacks, the operators have been able to circumvent multi-factor authentication controls and seized control of cloud-based identities. Having initially compromised an organization, the group establishes persistence and utilizes the hijacked accounts to launch secondary spear-phishing campaigns. This further extends the intrusion across trust networks by extending the malware laterally. 

As described by the FBI, this approach demonstrates a high level of confidence, an identity intrusion vector that is MFA-resilient, and it originates on unmanaged mobile devices that sit outside the traditional lines of endpoint detection and network monitoring. 

A number of attacks by Kimsuky were observed during May and June 2025, including campaigns that impersonated foreign advisors, embassy employees, and think tank employees to lure victims into a fictitious conference, as demonstrated by investigators. 

Since being active for more than a decade now, North Korea-aligned espionage groups like APT43 and Emerald Sleet have been gathering information on organizations in the United States, Japan, and South Korea. These groups, also known as Velvet Chollima, Emerald Sleet, TA406, and Black Banshee, have traditionally targeted these organizations with information. 

As a result of activities related to sanctions evasion and support for Pyongyang's weapons of mass destruction programs in 2023, the U.S. government sanctioned the group.

The current spear phishing campaign relies on QR codes embedded within carefully crafted spear-phishing emails to be it's primary infection vector, as the codes run through a victim's mobile device and thereby direct them to an attacker-controlled infrastructure that the attacker controls. 

There are a number of websites host phishing pages crafted to look like legitimate authentication portals, like the Microsoft 365, the Google Workspace, Okta and a wide range of services such as VPNs and single sign-ons. 

As a general rule, investigators report that the operation typically begins with detailed open-source reconnaissance in order to identify high-value individuals, followed by tailored email messages that impersonate trusted contacts or refer to timely events in order to lend credibility to the operation. 

The malicious site either collects login credentials or delivers malware payloads, such as BabyShark or AppleSeed, to the user when they scan the QR code, enabling attackers to establish persistence, move laterally within compromised environments, and exfiltrate sensitive data as soon as it is scanned.

There are many MITER ATT&CK techniques that are aligned with the activity, which reflects an organized and methodical tradecraft, which includes credentials harvesting, command-and-control communications at the application layer, and data exfiltration via web services. 

Furthermore, the group collects data on victim devices by collecting information about the browser and geolocation of the device, which enables the phishing content to be optimized for mobile use, as well as, in some cases, facilitates session token theft, which allows multi-factor authentication to be bypassed. 

Many researchers, academic institutions, government bodies, and strategic advisory organizations have been targeted for their sensitive information, including senior analysts, diplomats, and executives.

It has been observed that while the campaign has gained a global presence covering the United States, South Korea, Europe, Russia, and Japan  it has also demonstrated an increased effectiveness because it is based on personalized lures that exploit professional trust networks and QR codes are routinely used for accessing events and sharing documents, which highlights the growing threat of mobile-centric phishing. 

In a timely manner, the FBI's advisory serves as a reminder that organizations' attack surfaces are no longer limited to conventional desktops and email gateways, but are increasingly extending into mobile devices which are operating outside of the standard visibility of enterprises. 

As malicious actors like Kimsuky develop social engineering techniques that exploit trust, convenience, and routine user behavior in order to gain access to sensitive information, organizations are being forced to reassess how their identity protection strategies intersect with their mobile access policies and their user awareness practices. 

There is an urgent need for information security leaders to place greater emphasis on maintaining phishing-resistant authentication, monitoring anomalous sign-in activity continuously, and establishing stronger governance over mobile device usage, including for those employees who are handling sensitive policy, research, or advisory matters. 

Additionally, it is imperative that users are educated on how to discern QR codes from suspicious links and attachments so that they can treat QR codes with the same amount of attention and scrutiny. 

A combined campaign of this kind illustrates a shift in state-sponsored cyber operations towards low friction, high-impact intrusion paths, which emphasize stealth over scale, pointing to the necessity for adaptive defenses that can evolve as rapidly as the tactics being used to defeat them, which emphasizes the need for a more adaptive defense system.
Read more »
User Privacy
Chrome Extension Credential Theft Mobile Security Phantom Shuttle User Privacy

Phantom Shuttle Chrome Extensions Caught Stealing Credentials

 

Two malicious Chrome extensions named Phantom Shuttle have been discovered to have acted as proxies and network test tools while stealing internet browsing and private information from people’s browsers without their knowledge.

According to security researchers from Socket, these extensions have been around since at least 2017 and were present in the Chrome Web Store until the time of writing. This raises serious concerns regarding the dangers associated with browser extensions even from reputable sources. 

Analysis carried out by Socket indicates that the Phantom Shuttle extension directs the online traffic of the victims to a proxy setup that is controlled by the attackers using hardcoded credentials. The attackers hid the malcode using the approach of prepending the malcode to a jQuery library. 

The hardcoded credentials for the proxy are also obfuscated using a custom character index-based encoding scheme, which could impact detection and reverse engineering efficiency. The built-in traffic listener in the extensions is capable of intercepting HTTP authentication challenges on multiple websites.

Modus operandi 

To force traffic through its infrastructure, Phantom Shuttle dynamically modifies Chrome’s proxy configuration using an auto-configuration script. In a default mode labeled “smarty,” the extensions allegedly route more than 170 “high-value” domains through the proxy network, including developer platforms, cloud consoles, social media services, and adult sites. Additionally, to avoid breaking environments that could expose the operation, the extensions maintain an exclusion list that includes local network addresses and the command-and-control domain. 

Since the extensions operate a man-in-the-middle, they can seize data passed through forms such as credentials, payment card data, passwords and other personal information. Socket claims the extensions can also steal session cookies from HTTP headers, and parse API tokens from requests, potentially taking over accounts even if passwords aren't directly harvested. 

Mitigation tips 

Chrome users are warned to download extensions only from trusted developers, to verify multiple user reviews and to be attentive to the permissions asked for when installing. In sensitive workload environments (cloud admin, developer portals, finance tools), minimizing extensions and removing those not in use can also dramatically reduce exposure to similar proxy-based credential heists.
Read more »
Russia
Amazon AWS Cloud Security Credential Theft Cyber Attacks GRU Russia

Amazon Says It Has Disrupted GRU-Linked Cyber Operations Targeting Cloud Customers

 



Amazon has announced that its threat intelligence division has intervened in ongoing cyber operations attributed to hackers associated with Russia’s foreign military intelligence service, the GRU. The activity targeted organizations using Amazon’s cloud infrastructure, with attackers attempting to gain unauthorized access to customer-managed systems.

The company reported that the malicious campaign dates back to 2021 and largely concentrated on Western critical infrastructure. Within this scope, energy-related organizations were among the most frequently targeted sectors, indicating a strategic focus on high-impact industries.

Amazon’s investigation shows that the attackers initially relied on exploiting security weaknesses to break into networks. Over multiple years, they used a combination of newly discovered flaws and already known vulnerabilities in enterprise technologies, including security appliances, collaboration software, and data protection platforms. These weaknesses served as their primary entry points.

As the campaign progressed, the attackers adjusted their approach. By 2025, Amazon observed a reduced reliance on vulnerability exploitation. Instead, the group increasingly targeted customer network edge devices that were incorrectly configured. These included enterprise routers, VPN gateways, network management systems, collaboration tools, and cloud-based project management platforms.

Devices with exposed administrative interfaces or weak security controls became easy targets. By exploiting configuration errors rather than software flaws, the attackers achieved the same long-term goals: maintaining persistent access to critical networks and collecting login credentials for later use.

Amazon noted that this shift reflects a change in operational focus rather than intent. While misconfiguration abuse has been observed since at least 2022, the sustained emphasis on this tactic in 2025 suggests the attackers deliberately scaled back efforts to exploit zero-day and known vulnerabilities. Despite this evolution, their core objectives remained unchanged: credential theft and quiet movement within victim environments using minimal resources and low visibility.

Based on overlapping infrastructure and targeting similarities with previously identified threat groups, Amazon assessed with high confidence that the activity is linked to GRU-associated hackers. The company believes one subgroup, previously identified by external researchers, may be responsible for actions taken after initial compromise as part of a broader, multi-unit campaign.

Although Amazon did not directly observe how data was extracted, forensic evidence suggests passive network monitoring techniques were used. Indicators included delays between initial device compromise and credential usage, as well as unauthorized reuse of legitimate organizational credentials.

The compromised systems were customer-controlled network appliances running on Amazon EC2 instances. Amazon emphasized that no vulnerabilities in AWS services themselves were exploited during these attacks.

Once the activity was detected, Amazon moved to secure affected instances, alerted impacted customers, and shared intelligence with relevant vendors and industry partners. The company stated that coordinated action helped disrupt the attackers’ operations and limit further exposure.

Amazon also released a list of internet addresses linked to the activity but cautioned organizations against blocking them without proper analysis, as they belong to legitimate systems that had been hijacked.

To mitigate similar threats, Amazon recommended immediate steps such as auditing network device configurations, monitoring for credential replay, and closely tracking access to administrative portals. For AWS users, additional measures include isolating management interfaces, tightening security group rules, and enabling monitoring tools like CloudTrail, GuardDuty, and VPC Flow Logs.

Read more »
User Privacy
Android Spyware Cellik Credential Theft malware User Privacy

Cellik Android Spyware Exploits Play Store Trust to Steal Data

 

Recently found in the Android platform, remote access trojan named Cellik has been recognized as a serious mobile threat, using the Google Play integration feature to mask itself within legitimate applications to evade detection by security solutions.

Cellik is advertised as a malware-as-a-service (MaaS) in the cybercrime forums, with membership rates beginning at approximately $150 a month. One of the most frightening facets of the malware is the fact that it allows malicious payloads to be injected into legitimate Google Play applications, which can be easily installed. 

Once it is installed, Cellik provides complete control over the target device for the attacker. Operators can remotely stream the target device’s screen live, as well as access all files, receive notifications, and even use a stealthy browser to surf websites and enter form data without the target’s awareness. The malware also comes equipped with an app inject functionality that enables attackers to superimpose login screens on normal applications such as bank or email apps and harvest login and other sensitive data. 

Cellik Play Store integration also includes an automated APK builder, so the perpetrators of this crimeware can now browse the store for apps, choose popular apps, and pack them with the Cellik payload in one click bundling it together with the cellik payload. The perpetrators of this attack claim that this allows them to bypass Google Play Protect and other device-based security scanners, but Google has not independently verified this. 

Android users should heed the words of security experts and not sideload APKs from unknown sources, keep Play Protect enabled at all times, be very judicious about app permissions, and keep an eye out for anything strange on their phones that might be harmful. Since Cellik is a groundbreaking new development in Android malware, both users and the security community should be vigilant to ensure their sensitive data and device integrity are not compromised.
Read more »
Windows Security
Credential Theft Lumma Stealer malware malware infection National Cyber Security Centre New Zealand Cyber Security Online fraud Windows Security

Malicious Software Compromises 26000 Devices Across New Zealand


Thousands of devices have been infected with malware through New Zealand's National Cyber Security Center, showing the persistent risk posed by credential-stealing cybercrime, which has been causing New Zealand's National Cyber Security Center to notify individuals after an exposure. 

About 26,000 people have been notified by the agency that it is sending an email advising them to visit the Own Your Online portal for instructions on how to remove malicious software from their accounts and strengthen their account security. 

As NCSC Chief Operating Officer Michael Jagusch informed me, the alerts were related to Lumma Stealer, which is a highly regarded strain of malware targeting Windows-based devices. There is a danger that this malware can be used to facilitate identity theft or fraud by covertly harvesting sensitive data like email addresses and passwords. 

Officials noted that Lumma Stealer and other information-stealing tools are still part of an international cybercrime ecosystem that continues to grow, and so users should be vigilant and take proactive security measures in order to protect themselves. It has been reported that the National Cyber Security Centre of the Government Communications Security Bureau has conducted an assessment and found that it is possible that the malicious activity may have affected approximately 26,000 email addresses countrywide. 

As detailed in its statement published on Wednesday, the U.S. Department of Homeland Security has warned that the malware involved in the incident, dubbed Lumma Stealer, is specifically designed to be able to steal sensitive data, including login credentials and other personally identifiable information, from targeted systems.

As noted by the NCSC, this threat primarily targets Windows-based devices, and cybercriminals use this threat to facilitate the fraud of personal information and financial fraud. Thus, it highlights the continued exposure of everyday users to sophisticated campaigns aimed at stealing personal data. 

The issue was discovered by the National Cyber Security Centre's cyber intelligence partnerships, after the agency first worked with government bodies and financial institutions in order to alert a segment of those affected before expanding the effort to notify the entire public. Introducing the NCSC Chief Operating Officer, Michael Jagusch, he said the center has now moved to a broader direct-contact approach and this is its first time undertaking a public outreach of this sort on such a large scale. 

A step he pointed out was that the notifications are genuine and come from the official email address no-reply@comms.ncsc.govt.nz, which helps recipients distinguish between the legitimate and fraudulent ones. It is noteworthy that a recent BNZ survey indicates similar exposure across small and medium businesses, which is in line with the current campaign, which is targeted at households and individuals. 

The research reveals that 65% of small and medium-sized businesses believe scam activity targeting their businesses has increased over the past year; however, 45% of these businesses do not place a high priority on scam awareness or cyber education, despite the fact that their employees routinely handle emails, payment information and customer information. 

There were approximately half of surveyed SMEs who reported that they had been scammed in the last 12 months and many of them had been scammed by clicking links, opening attachments, or responding to misleading messages. According to BNZ fraud operations head Margaret Miller, criminals are increasingly exploiting human behavior as a means of committing fraud rather than exploiting technical flaws, targeting business owners and employees who are working on a daily basis. 

A substantial number of small business owners reported business financial losses following breaches, with 21% reporting business financial losses, 26% a personal financial loss and 30% experiencing data compromise, all of which had consequences beyond business accounts. According to Miller, the average loss was over $5,000, demonstrating that scammers do not only attempt to steal company funds, but also to steal personal information and sensitive business data in the form of financial fraud. 

It is the country's primary authority for helping individuals and companies reduce their cyber risk, and it is housed within the Government Communications Security Bureau.

The National Cyber Security Centre offers help to individuals and organisations and is a chief authority on cyber security. It has three core functions that form the basis of its work: helping New Zealanders make informed decisions about their digital security, ensuring strong cyber hygiene is embedded within essential services and in the wider cyber ecosystem in collaboration with key stakeholders, and using its statutory mandate to combat the most serious and harmful cyber threats through the deployment of its specialist capability. 

Own Your Online, a central part of this initiative, provides practical tools, guidance and resources designed to make cybersecurity accessible for householders, small businesses, and nonprofit organizations, as well as clear advice on prevention and what to do when an incident occurs. In particular, the NCSC owns the Own Your Online platform, which provides practical tools, guidance, and resources. 

There is no doubt that the incident serves as a timely reminder of the increasing sophistication and reach of modern cybercrime, as well as the shared responsibility that must be taken to limit its effects on society. Many experts continue to emphasize the importance of maintaining a safe system, including the use of strong, unique passwords, and the use of multi-factor authentication whenever possible. They advise maintaining your operating system and software up to date as well as using the proper passwords. 

Furthermore, users are advised to remain cautious of any unexpected emails or messages they receive, even if they appear to have come from trusted sources. Likewise, users should exclusively communicate through official channels to avoid any confusion. 

The focus continues to remain on raising awareness and improving resilience among individuals and organisations with the aim of improving digital awareness and improving collaboration between the authorities and the business and financial sector. 

A new approach has been adopted by agencies to encourage early detection, clear communication, and practical guidance that are aimed at reducing immediate harm while also fostering long-term confidence among New Zealanders in navigating an increasingly complex online world.
Read more »
Fake Apps
Android Android Banking Trojan Android Trojans Banking Trojan Credential Theft Cyber Attacks Fake Apps

Datzbro Android Banking Trojan Targets Seniors With Device-Takeover Attacks

 

Researchers have uncovered a previously undocumented Android banking trojan, dubbed Datzbro, that is being used in device-takeover campaigns aimed squarely at older adults. ThreatFabric, a Dutch mobile security firm, first tied the activity to a social-engineering network in August 2025 after reports emerged of Facebook groups in Australia advertising “active senior trips” that were in fact recruitment channels for the scam. The operation has been observed in multiple countries, including Singapore, Malaysia, Canada, South Africa and the U.K., and relies on community-focused messaging to build trust before delivering malware. 

The attackers create convincing Facebook groups and AI-generated posts promoting local events for seniors. When a target shows interest, operators move the conversation to Facebook Messenger or WhatsApp and push a link to download a so-called community app—usually an APK hosted on a fraudulent domain. Those sites promise event registration and networking features but deliver an installer that either installs Datzbro directly or drops a secondary loader built with an APK-binding service called Zombinder, which helps bypass protections introduced in Android 13 and later. Some evidence suggests the fraudsters are preparing iOS TestFlight lures as well, indicating cross-platform ambitions. 

Analysts have cataloged multiple malicious app package names used to distribute the trojan, from innocuous-sounding “Senior Group” and “Lively Years” to variants masquerading as popular Chinese apps or tools. Once installed, Datzbro grants itself extensive permissions and weaponizes Android accessibility services to perform actions on behalf of the attacker. It can record audio, capture photos, harvest files, log keystrokes and overlay semi-transparent screens to hide malicious activity from victims. A distinctive feature is its “schematic remote control” mode, which reports screen layout, element positions and content back to operators so they can reconstruct interfaces remotely and direct the device as if they were looking over the victim’s shoulder. 

The trojan also filters accessibility event logs for bank or wallet package names and scans for text resembling PINs, passwords or transaction codes. If it finds credentials in cookies or other storage, Datzbro exfiltrates them to the attackers’ back end; it can even steal lock-screen PINs and compromise popular Chinese payment apps such as Alipay and WeChat. ThreatFabric noted Chinese debug strings and a Chinese-language desktop command-and-control application tied to the campaign, suggesting the authors are Chinese-speaking. A compiled C2 client reportedly leaked to public malware repositories, which may accelerate wider abuse by other criminals. 

Datzbro’s discovery comes amid broader mobile-banking malware activity. IBM X-Force has described a related AntiDot campaign called PhantomCall that similarly abuses Android features and sideloaded droppers to bypass modern OS protections, while PRODAFT has documented MaaS-style offerings for actors aiming at global banks. Together, these trends reflect a sustained move toward targeted social engineering that exploits community trust to coax vulnerable users into installing powerful remote-control malware. 

The rapid evolution of these threats underscores the need for heightened public awareness—especially among seniors—tighter app-distribution controls, and stronger defenses around accessibility permissions and sideloaded software.
Read more »
User Privacy
Credential Theft Cyber Fraud Data Leak Netflix Job Scam User Privacy

Fake Netflix Job Offers Target Facebook Credentials in Real-Time Scam

 

A sophisticated phishing campaign is targeting job seekers with fake Netflix job offers designed to steal Facebook login credentials. The scam specifically focuses on marketing and social media professionals who may have access to corporate Facebook business accounts. 

Modus operandi 

The attack begins with highly convincing, AI-generated emails that appear to come from Netflix's HR team, personally tailored to recipients' professional backgrounds. When job seekers click the "Schedule Interview" link, they're directed to a fraudulent career site that closely mimics Netflix's official page. 

The fake site prompts users to create a "Career Profile" and offers options to log in with Facebook or email. However, regardless of the initial choice, victims are eventually directed to enter their Facebook credentials. This is where the scam becomes particularly dangerous. 

Real-time credential theft 

What makes this attack especially sophisticated is the use of websocket technology that allows scammers to intercept login details as they're being typed. As Malwarebytes researcher Pieter Arntz explains, "The phishers use a websocket method that allows them to intercept submissions live as they are entered. This allows them to try the credentials and if your password works, they can log into your real Facebook account within seconds". 

The attackers can immediately test stolen credentials on Facebook's actual platform and may even request multi-factor authentication codes if needed. If passwords don't work, they simply display a "wrong password" message to maintain the illusion. 

While personal Facebook accounts have value, the primary goal is accessing corporate social media accounts. Cybercriminals seek marketing managers and social media staff who control company Facebook Pages or business accounts. Once compromised, these accounts can be used to run malicious advertising campaigns at the company's expense, demand ransom payments, or leverage the organization's reputation for further scams.

Warning signs and protection

Security researchers have identified several suspicious email domains associated with this campaign, including addresses ending with @netflixworkplaceefficiencyhub.com, @netflixworkmotivation, and @netflixtalentnurture.com. The fake hiring site was identified as hiring.growwithusnetflix[.]com, though indicators suggest the operators cleared their tracks after the scam was exposed. 

Job seekers should be cautious of unsolicited job offers, verify website addresses carefully, and remember that legitimate Netflix recruitment doesn't require Facebook login credentials. The campaign demonstrates how scammers exploit both job market anxiety and the appeal of working for prestigious companies to execute sophisticated credential theft operations.
Read more »
Vulnerabilities and Exploits
Clickjacking Attacks Credential Theft Password Manager User Security Vulnerabilities and Exploits

Major Password Managers Leak User Credentials in Unpatched Clickjacking Attacks

 

Six popular password managers serving tens of millions of users remain vulnerable to unpatched clickjacking flaws that could allow cybercriminals to steal login credentials, two-factor authentication codes, and credit card information. 

Modus operandi

Security researcher Marek Tóth, who presented these findings at DEF CON 33, demonstrated how attackers exploit these vulnerabilities by running malicious scripts on compromised websites. 

The attack works by using opacity settings and overlays to hide password manager autofill dropdown menus while displaying fake elements like cookie banners or CAPTCHA prompts. When users click on these decoy elements, they unknowingly trigger autofill actions that expose sensitive data. 

Tóth developed multiple exploitation variants, including DOM element manipulation techniques and a method where the user interface follows the mouse cursor, making any click trigger data autofill. The researcher created a universal attack script that can identify which password manager a target is using and adapt the attack in real-time. 

Impacted password managers

The vulnerable password managers include: 
  • 1Password 8.11.4.27 
  • Bitwarden 2025.7.0 
  • Enpass 6.11.6 
  • iCloud Passwords 3.1.25
  • LastPass 4.146.3 
  • LogMeOnce 7.12.4 
These services collectively have approximately 40 million users. 

Vendor responses 

Vendor responses have been mixed. 1Password dismissed the report as "out-of-scope/informative," arguing that clickjacking is a general web risk users should mitigate themselves. Similarly, LastPass initially marked the report as "informative" before later acknowledging they're working on fixes. 

Bitwarden downplayed the severity but claims to have addressed the issues in version 2025.8.0. However, LogMeOnce initially failed to respond to any communication attempts, though they later released an update. Several vendors have successfully implemented fixes, including Dashlane, NordPass, ProtonPass, RoboForm, and Keeper.

Safety measures 

Until patches are available, Tóth recommends that users disable autofill functionality in their password managers and rely on manual copy-paste operations instead. This significantly reduces the attack surface while maintaining password manager security benefits. 

The research highlights ongoing challenges in balancing user convenience with security in password management tools, particularly regarding browser extension vulnerabilities.
Read more »
Phishing Attacks
Artificial Intelligence Credential Theft Cyber Attacks Cybercrime Infrastructure Cybersecurity awareness Gmail Security Multi-Layered Deception Phishing Attacks

New Gmail Phishing Attack Exploits Login Flow to Steal Credentials

 


Despite today's technologically advanced society, where convenience and connectivity are the norms, cyber threats continue to evolve at an alarming rate, making it extremely dangerous to live in. It has recently been reported that phishing attacks and online scams are on the rise among U.S. consumers, warning that malicious actors are increasingly targeting login credentials to steal personal and financial information from their customers. Those concerns are echoed by the Federal Bureau of Investigation (FBI), which revealed that online scams accounted for a staggering $16.6 billion in losses last year—a jump of 33 per cent compared with the year prior.

The extent to which the problem is increasing has been highlighted in surveys that have revealed more than 60 per cent of Americans feel scam attempts are increasing, and nearly one in three have experienced a data breach regularly. Taking these figures together, it is apparent that fortifying digital defences against an ever-expanding threat landscape is of utmost importance. 

Phishing itself is not new; however, its evolution has been dramatic over the past few decades. Previously, such scams could be easily detected due to their clumsy emails that contained spelling errors and awkward greetings like "Dear User." Today's attacks are much more sophisticated. In this latest Gmail phishing campaign, Google's legitimate login process is accurately mimicked with alarming accuracy, deceiving even tech-savvy users. 

It has been documented by security researchers that thousands of Gmail accounts have been compromised, with stolen credentials opening the door to a broad range of infiltrations, including banking, retail, and social networking sites. A breach like this is compared to an intruder entering one's digital home with the key to the rightful owner. 

A breach of this kind can cause long-lasting damage both financially and personally because it extends well beyond inconvenience. Investigations have shown that this campaign is based on deception and abuse of trusted infrastructures. Fraudulent "New Voice Notification" emails are a way for scammers to get victims by phoning them with fake sender information and making them listen to their voicemails. This attack begins with a legitimate Microsoft Dynamics marketing platform, which lends instant credibility to it, thereby enabling it to bypass many standard security controls. 

A CAPTCHA page on horkyrown[.]com, which can be traced to Pakistan, then redirects victims to a fake login page that looks exactly like Gmail's login page, which makes them feel like they're being hacked before giving them the real thing. When credentials are exfiltrated in real time, the account can be taken over almost immediately. Adding more complexity to this problem is the advent of artificial intelligence in phishing operations. 

Cybercriminals are now making perfect emails, mimicking writing styles, and even making convincing voice calls impersonating trusted figures, utilising advanced language models. According to security companies, artificial intelligence-driven phishing attempts are just as effective as human-crafted ones - if not more so - showing a 55 per cent increase between 2023 and 2025 in success rates. 

With the use of techniques such as metadata spoofing and "Open Graph Spoofing," attackers can further disguise malicious links, essentially making them almost indistinguishable from safe ones with the help of these techniques. In this new wave of phishing, which has become increasingly personalised, multimodal, and distributed at unprecedented scales, it is becoming increasingly difficult to detect. 

The FBI, as well as the Cybersecurity and Infrastructure Security Agency (CISA), have already issued warnings regarding artificial intelligence-enhanced phishing campaigns that target Gmail accounts. There was one case in which Ethereum developer Nick Johnson told of receiving a fraudulent “subpoena” email that passed Gmail's authentication checks and appeared to be just like a legitimate security alert. In similar attacks, phone calls and email have been used to harvest recovery codes, enabling full account takeover. 

Additionally, analysts found that attackers stole session cookies, enabling them to bypass login screens and bypass the entire process. Although Google's filters are now blocking nearly 10 million malicious emails per minute, experts warn that attackers are adapting faster, making stronger authentication measures and user vigilance essential. 

According to the technical analysis of the attack, it has been discovered that the (purpxqha[.]ru) Russian servers used to redirect traffic and perform cross-site requests should be responsible for the attack, while the primary domain name infrastructure was registered in Karachi, Pakistan. 

Using the malicious system, multiple layers of security within Gmail are bypassed, allowing hackers to not only collect email addresses and password combinations, but also two-factor authentication codes, Google Authenticator tokens, backup recovery keys, and even responses to security questions, enabling the attackers to completely take control of victims' accounts before they are aware that they have been compromised. Security experts have made several recommendations to organisations, including blocking identified domains, strengthening monitoring, and educating users about these evolving attack vectors. It must be noted that the Gmail phishing craze reflects a broader reality: cybersecurity is no longer a passive discipline but is a continuous discipline that must adapt to the speed of innovation as it evolves. 

There is no doubt that cultivating digital scepticism is a priority for individuals—they should question every unexpected email, voicemail, or login request, and they should reinforce their accounts with two-factor authentication or hardware security keys to ensure their accounts remain secure. A company’s responsibilities extend further, as they invest in employee awareness training, conduct mock phishing exercises, and implement adaptive tools capable of detecting subtle changes in behaviour. 

A cross-government collaboration between industry leaders, governments, and security researchers will be crucial to the dismantling of criminal infrastructure that exploits global trust. The need for vigilance in an environment where deception is becoming increasingly sophisticated each day has become more than an act of precaution, but a form of empowerment. This allows individuals and businesses alike to protect their digital identities from increasingly sophisticated threats while simultaneously protecting their digital identities.
Read more »
Malware Threat
Browser Credential Theft Cyber Attacks CyberThreat Data Theft Information Security Infostealer Infostealer Malware Malicious Browsers Malware Attack Malware Threat

Shuyal Malware Targets 19 Browsers with Advanced Data Theft and Evasion Capabilities

 

A newly discovered infostealing malware named “Shuyal” has entered the cyber threat landscape, posing a serious risk to users by targeting a wide range of web browsers and deploying sophisticated evasion methods. Identified by researchers at Hybrid Analysis, Shuyal is capable of stealing credentials and sensitive information from 19 different browsers, including lesser-known privacy-focused options like Tor and Brave. 

The malware is named after identifiers found in its code path and represents a new generation of data stealers with expanded surveillance capabilities. Unlike traditional malware that only focuses on login credentials, Shuyal goes deeper—harvesting system-level information, capturing screenshots, monitoring clipboard activity, and sending all of it to cybercriminals using a Telegram bot-controlled infrastructure. 

In his analysis, Vlad Pasca from Hybrid Analysis highlighted that Shuyal performs extensive system reconnaissance. Once it infects a device, it disables the Windows Task Manager to prevent users from detecting or ending the malware’s process. It also hides its tracks by removing evidence of its activities through self-deleting mechanisms, including batch scripts that erase runtime files once the data has been exfiltrated. 

Among the browsers targeted by Shuyal are mainstream options such as Chrome and Edge, but it also compromises more obscure browsers like Waterfox, OperaGx, Comodo, Falko, and others often marketed as safer alternatives. This wide reach makes it particularly concerning for users who believe they are using secure platforms. 

Shuyal collects technical details about the system, including hard drive specifications, connected input devices like keyboards and mice, and display configurations. It compresses all collected data using PowerShell into a temporary folder before transmitting it to the attackers. This organized method of data collection and transfer demonstrates the malware’s highly stealthy design. 

The malware also ensures it remains active on compromised machines by copying itself into the Startup folder, allowing it to launch each time the system is rebooted. 

Although researchers have not yet pinpointed the exact methods attackers use to distribute Shuyal, common delivery vectors for similar malware include phishing emails, malicious social media posts, and deceptive captcha pages. Experts caution that infostealers like Shuyal often serve as precursors to more serious threats, including ransomware attacks and business email compromises. 

Hybrid Analysis encourages cybersecurity professionals to study the published indicators of compromise (IOCs) associated with Shuyal to strengthen their defense strategies. As cyber threats evolve, early detection and proactive protection remain essential.
Read more »
Software
Android BadBox threat Credential Theft FBI malware Software

FBI Issues Urgent Warning: Millions of Android Devices Compromised by Malware Operation

 


A dangerous malware campaign known as BadBox 2.0 has infected more than 10 million Android-powered devices, according to a recent alert from the FBI and major cybersecurity researchers. Users are being advised to immediately disconnect any suspicious smart devices connected to their home networks.

This large-scale cyberattack targets a range of low-cost electronics, such as smart TVs, tablets, digital picture frames, car infotainment systems, and streaming boxes, many of which are manufactured by lesser-known brands and sold at discounted prices. Authorities warn that these products may already be infected before leaving the factory.


How Are Devices Getting Infected?

Investigators say that the malware is often pre-installed into the system’s firmware, meaning it’s embedded into the device itself. In some cases, users unknowingly allow the malware in when accepting software updates or installing apps from unofficial sources.

Once active, the malware can silently take over the infected device, turning it into part of a global botnet. These infected devices are then used by cybercriminals for illegal activities like online ad fraud, credential theft, and hiding internet traffic through proxy networks.

The LAT61 Threat Intelligence Team at Point Wild helped trace how the malware operates. They discovered that the malware secretly converts devices into residential proxy nodes, making it hard to detect while still carrying out harmful actions behind the scenes.


What Are Google and the FBI Doing?

In response to the threat, Google has taken legal action against the individuals behind BadBox 2.0 and has updated its Google Play Protect system to block apps associated with the malware. The FBI, through alert I-060525-PSA, has also issued a detailed warning and urged users to take caution, especially with devices from unverified brands.

The team at Human Security, which first exposed the malware operation, confirmed that multiple hacker groups contributed to building and maintaining the botnet infrastructure. Their CEO praised the collaboration between cybersecurity firms, law enforcement, and tech companies to take down the threat.


A New Threat Also Detected

Meanwhile, researchers from GreyNoise have reported signs of another emerging cyber threat, this time involving VoIP (Voice over Internet Protocol) devices. Their investigation revealed a spike in activity where hackers are attempting to gain access to poorly secured systems using default or weak passwords. These devices are often older, rarely updated, and left exposed to the internet, making them easy targets.


What Should You Do?

The FBI advises users to look out for the following red flags:

1. Devices requiring you to turn off Google Play Protect

2. Gadgets that offer “fully unlocked” or “free streaming” features

3. Unfamiliar or generic brand names

4. Apps from third-party app stores

5. Unexpected internet activity from your devices


If you notice any of these signs, disconnect the device from your network immediately and consider replacing it with a trusted brand.

Read more »
phishing
Business Security cloud hosting cookie theft Credential Theft Cybersecurity Data Breach fake alerts Meta OTP phishing

Meta Mirage” Phishing Campaign Poses Global Cybersecurity Threat to Businesses

 

A sophisticated phishing campaign named Meta Mirage is targeting companies using Meta’s Business Suite, according to a new report by cybersecurity experts at CTM360. This global threat is specifically engineered to compromise high-value accounts—including those running paid ads and managing brand profiles.

Researchers discovered that the attackers craft convincing fake communications impersonating official Meta messages, deceiving users into revealing sensitive login information such as passwords and one-time passcodes (OTP).

The scale of the campaign is substantial. Over 14,000 malicious URLs were detected, and alarmingly, nearly 78% of these were not flagged or blocked by browsers when the report was released.

What makes Meta Mirage particularly deceptive is the use of reputable cloud hosting services—like GitHub, Firebase, and Vercel—to host counterfeit login pages. “This mirrors Microsoft’s recent findings on how trusted platforms are being exploited to breach Kubernetes environments,” the researchers noted, highlighting a broader trend in cloud abuse.

Victims receive realistic alerts through email and direct messages. These notifications often mention policy violations, account restrictions, or verification requests, crafted to appear urgent and official. This strategy is similar to the recent Google Sites phishing wave, which used seemingly authentic web pages to mislead users.

CTM360 identified two primary techniques being used:
  • Credential Theft: Victims unknowingly submit passwords and OTPs to lookalike websites. Fake error prompts are displayed to make them re-enter their information, ensuring attackers get accurate credentials.
  • Cookie Theft: Attackers extract browser cookies, allowing persistent access to compromised accounts—even without login credentials.
Compromised business accounts are then weaponized for malicious ad campaigns. “It’s a playbook straight from campaigns like PlayPraetor, where hijacked social media profiles were used to spread fraudulent ads,” the report noted.

The phishing operation is systematic. Attackers begin with non-threatening messages, then escalate the tone over time—moving from mild policy reminders to aggressive warnings about permanent account deletion. This psychological pressure prompts users to respond quickly without verifying the source.

CTM360 advises businesses to:
  • Manage social media accounts only from official or secure devices
  • Use business-specific email addresses
  • Activate Two-Factor Authentication (2FA)
  • Periodically audit security settings and login history
  • Train team members to identify and report suspicious activity
This alarming phishing scheme highlights the need for constant vigilance, cybersecurity hygiene, and proactive measures to secure digital business assets.
Read more »
identity-based attacks
AI-driven cyberattacks Credential Theft Cyber Attacks Cybercrime economy Cybersecurity Threats identity-based attacks

Data Reveals Identity-Based Attacks Now Dominate Cybercrime

 

Cyberattacks are undergoing a significant transformation, shifting away from malware-driven methods toward identity exploitation. According to the CrowdStrike 2024 Global Threat Report, three out of four cyberattacks now leverage valid credentials instead of malicious software.

This change is fueled by the expanding cybercrime economy, where stolen identities are becoming as valuable as exploitable system vulnerabilities. A booming underground market for credentials, combined with AI-powered deception and automated phishing, is rendering traditional security measures ineffective.

“You may have really locked down environments for untrusted external threats, but as soon as you look like a legitimate user, you’ve got the keys to the kingdom,” said Elia Zaitsev, CTO at CrowdStrike. This shift presents a pressing challenge for enterprises: if attackers no longer need malware to infiltrate networks, how can they be stopped?

The CrowdStrike report also highlights the speed at which attackers escalate privileges once inside a network. The fastest recorded eCrime breakout time—the duration between initial access and lateral movement—was just 2 minutes and 7 seconds.

Traditional security models that focus on malware detection or manual threat investigation are struggling to keep up. In identity-driven attacks, there are no suspicious payloads to analyze—just adversaries impersonating authorized users. This has led to a rise in living-off-the-land techniques, where attackers use built-in system tools to evade detection. Instead of deploying custom malware, they exploit legitimate credentials and remote monitoring tools to blend seamlessly into network activity.

A key challenge outlined in the 2024 Global Threat Report is the expansion of identity attacks beyond a single environment. Cybercriminals now utilize stolen credentials to move laterally across on-premises, cloud, and SaaS environments, making detection even more difficult.

Jim Guinn, a cybersecurity leader at EY, explained this evolving strategy: “You have to get in, and you have to be able to laterally move throughout the network, which means you have some level of access. And access requires identity.”

Guinn also emphasized the growing role of nation-state actors, who infiltrate networks months or even years in advance, waiting for the right moment to launch an attack.

For companies that still treat endpoint security, cloud security, and identity protection as separate entities, this shift presents a major challenge. Attackers increasingly pivot between these environments, making detection and prevention even more complex.

“The moment that man created AI, he also created a way for bad actors to use AI against you,” Guinn noted. “They're creating a quicker way to get to a set of targets that cybercriminals can use, and they're creating code bases and ways to manipulate users' credentials faster than the human can think about it.”

With identity-based attacks outpacing traditional security defenses, organizations are rethinking their cybersecurity strategies.

One crucial change is the adoption of continuous identity verification. Historically, authentication has been a one-time process, where users log in and remain trusted indefinitely. However, as attackers increasingly impersonate legitimate users, companies are implementing real-time behavioral monitoring to detect anomalies.

Another key adaptation is just-in-time privileges, where employees are granted administrative access only when required—and revoked immediately afterward—to minimize risk.

“We're bringing all that to bear,” Zaitsev explained. “We are taking that cross-domain, multi-domain visibility approach, unifying it all, and then, of course, also focusing heavily on continuous detection, prevention, and response.”

Guinn shared a compelling example of an organization recognizing the importance of identity security. “One of their senior executives said, ‘I think the only reason we haven’t really had a breach—like a significant breach—is because we have multi-factor authentication for our user credentials.’”

The CrowdStrike 2024 Global Threat Report underscores a fundamental shift in cybersecurity: identity, not malware, is the new battleground. Attackers no longer rely on complex exploits or hidden backdoors when they can buy access credentials, phish an employee, or manipulate AI-driven authentication systems.

Simply put, without access to valid credentials, cybercriminals are powerless. This makes identity security the core of modern cybersecurity strategies.

As organizations adapt to this evolving threat landscape, one thing is clear: failing to prioritize identity security leaves businesses vulnerable to adversaries who no longer need to break in—they already have the keys.
Read more »
Ransomware
Credential Theft Cyber Attacks Healthcare Ransomware

Healthcare Sector Faces Highest Risk in Third-Party Cyber Attacks

 



Cybersecurity experts have identified the healthcare industry as the most frequently targeted sector for third-party breaches in 2024, with 41.2% of such incidents affecting medical institutions. This highlights a critical need for improved security measures across healthcare networks.


The Growing Threat of Unnoticed Cyber Breaches  

A recent cybersecurity study warns of the increasing risk posed by “silent breaches.” These attacks remain undetected for extended periods, allowing hackers to infiltrate systems through trusted third-party vendors. Such breaches have had severe consequences in multiple industries, demonstrating the dangers of an interconnected digital infrastructure.

Research from Black Kite’s intelligence team examined cybersecurity incidents from regulatory disclosures and public reports, revealing an alarming rise in sophisticated cyber threats. The findings emphasize the importance of strong third-party risk management to prevent security lapses.


Why Healthcare is at Greater Risk  

Several factors contribute to the vulnerability of healthcare institutions. Medical records contain highly valuable personal and financial data, making them prime targets for cybercriminals. Additionally, the healthcare sector relies heavily on external vendors for essential operations, increasing its exposure to supply chain weaknesses. Many institutions also struggle with outdated security infrastructures, further amplifying risks.

Encouragingly, the study found that 62.5% of healthcare vendors improved their security standards following a cyber incident. Regulatory requirements, such as HIPAA compliance, have played a role in compelling organizations to enhance their cybersecurity frameworks.


Major Findings from the Report

The study highlights key security challenges that organizations faced in 2024:

1. Unauthorized Access to Systems: More than half of third-party breaches involved unauthorized access, underscoring the need for stronger access control measures.

2. Ransomware Attacks on the Rise: Ransomware remained a leading method used by cybercriminals, responsible for 66.7% of reported incidents. Attackers frequently exploit vendor-related weaknesses to maximize impact.

3. Software Vulnerabilities as Entry Points: Cybercriminals took advantage of unpatched or misconfigured software, including newly discovered weaknesses, to infiltrate networks.

4. Credential Theft Increasing: About 8% of attacks involved stolen or misused credentials, highlighting the necessity of robust authentication methods, such as multi-factor authentication.

5. Targeting of Software Vendors: A major 25% of breaches were linked to software providers, reflecting an increased focus on exploiting weaknesses in the software supply chain.


With organizations becoming increasingly reliant on digital tools and cloud-based systems, cyber risks continue to escalate. A single vulnerability in a widely used platform can trigger large-scale security incidents. 

To mitigate risks, businesses must adopt proactive strategies, such as continuous monitoring, prompt software updates, and stricter access controls. Strengthening third-party security practices is essential to minimizing the likelihood of breaches and ensuring the safety of sensitive data.

The healthcare sector, given its heightened exposure, must prioritize comprehensive security measures to reduce the impact of future breaches.



Read more »
MITRE ATT&CK
Credential Theft Cyber Security Info-stealing malware Cybersecurity Malware Threats MITRE ATT&CK

Credential-Stealing Malware Surges, Now a Top MITRE ATT&CK Threat

 

Cybersecurity researchers have uncovered a sharp rise in credential-stealing malware, with 25% of over a million malware samples analyzed in 2024 targeting user credentials. This marks a threefold increase from 2023, propelling credential theft from password stores into the MITRE ATT&CK framework's top 10 techniques. These attacks accounted for 93% of all malicious cyber activities last year.

According to "The Red Report 2025" by Picus Security, threat actors are shifting towards multi-stage, sophisticated attacks, leveraging a new breed of malware. Researchers have labeled this emerging trend "SneakThief," emphasizing its focus on stealth, persistence, and automation. 

Cybercriminals are refining these malware strains to execute highly evasive operations, aiming to carry out "the perfect heist" with built-in capabilities to bypass defenses and extract sensitive data.

Despite growing concerns over AI-driven threats, researchers found no evidence of AI-powered malware in 2024. However, malware samples analyzed were capable of executing an average of 14 malicious actions, with data exfiltration and stealth techniques responsible for 11.3 million cyber incidents last year.

"Focusing on the Top 10 MITRE ATT&CK techniques is the most viable way to stop the kill chain of sophisticated malware strains as early as possible," said Volkan Ertürk, CTO and co-founder of Picus Security. "SneakThief malware is not an exception; enterprise security teams can stop 90% of malware by focusing on just 10 of MITRE's entire library of techniques."
Read more »
SharePoint
Credential Theft Cyber Fraud Cyber Threats Microsoft 365 login Microsoft visio Phishing Attack Phishing Campaigns SharePoint

New Two-Step Phishing Attack Exploits Microsoft Visio and SharePoint

 

A novel two-step phishing strategy is targeting Microsoft Visio files (.vsdx) and SharePoint, signaling a new trend in cyber deception, according to experts. Researchers at Perception Point have noted a significant rise in attacks leveraging these previously uncommon .vsdx files.

These files act as delivery tools, directing victims to phishing pages that replicate Microsoft 365 login portals, aiming to steal user credentials.

The two-step phishing attacks employ layered techniques to evade detection. Rather than delivering harmful content directly, these campaigns use trusted platforms like Microsoft SharePoint to host files that appear legitimate. Attackers embed URLs within Visio files, which redirect victims to malicious websites when clicked, bypassing traditional email security systems.

Microsoft Visio, a popular tool for professional diagram creation, has now become a phishing vector. Cybercriminals send emails with Visio files from compromised accounts, often mimicking urgent business communications such as proposals or purchase orders. This tactic encourages recipients to act quickly, increasing the likelihood of success.

Since the emails come from stolen accounts, they often pass authentication checks and evade recipient security filters. In some cases, attackers include .eml files within the emails, embedding additional malicious URLs linked to SharePoint-hosted files.

The Visio files typically contain a clickable button labeled "View Document." Victims are instructed to press the Ctrl key while clicking the button to access the malicious URL. This step, requiring manual interaction, bypasses automated security systems that cannot simulate such behaviors.

Perception Point advises organizations to strengthen their defenses against sophisticated phishing campaigns by adopting advanced threat detection solutions. Suggested measures include:

  • Dynamic URL analysis to identify harmful links.
  • Object detection models to flag suspicious files.
  • Enhanced authentication mechanisms to reduce the impact of compromised accounts.
Read more »
secure email gateways
Credential Theft Cyber Security Cyber Threats cybersecurity breaches Group-IB report Phishing Campaign phishing techniques secure email gateways

Group-IB Unveils Sophisticated Phishing Campaign Targeting Global Organizations

 


A recent report by Group-IB has exposed a highly advanced phishing campaign targeting employees from 30 companies across 15 jurisdictions. Using trusted domains and cutting-edge personalization techniques, attackers have bypassed Secure Email Gateways (SEGs) and exploited victims in critical sectors such as finance, government, aerospace, and energy.

Advanced Obfuscation and Multi-Layered Deception

The investigation, initiated in July 2024, uncovered the attackers' use of:

  • Over 200 phishing links hosted on legitimate platforms like Adobe’s InDesign cloud service and Google AMP.
  • Techniques to bypass detection systems that typically block suspicious or unknown domains.

“Nine out of ten cyberattacks start with a phishing email, making it the most common entry point for threat actors,” the report emphasized.

Phishing Emails That Mimic Trusted Brands

The attackers used professionally designed phishing emails that impersonated well-known brands, including:

  • DocuSign, prompting victims to sign fake contracts.
  • Adobe-hosted links, disguising fraudulent login pages as critical documents.

These emails featured professional formatting, familiar logos, and dynamically personalized elements. For example, by extracting a victim’s email domain, the attackers matched logos and page titles to the targeted organization, enhancing credibility.

“Scammers use a technique that dynamically pulls company logos from the official website to make the phishing links look legitimate,” the report noted.

Exploitation of APIs for Realistic Branding

The attackers leveraged APIs like https://logo.clearbit.com/[company domain] to integrate authentic logos into phishing sites. This seamless branding approach increased user trust and made phishing attempts harder to detect.

Concealing Operations with URL Redirection and Encoding

To evade detection, attackers used:

  • URL redirections via Google AMP to create complex trails.
  • Encoded parameters to obscure the attack path.

Victims were redirected to phishing pages that appeared legitimate, with pre-filled email addresses further enhancing the illusion of authenticity. Once users entered their credentials, the stolen data was sent to Command-and-Control (C2) servers or Telegram bots via API endpoints.

Advanced Data Exfiltration Techniques

The phishing sites contained JavaScript snippets that transmitted stolen credentials using Base64 encoding, effectively hiding the data during analysis. Group-IB analysts observed: “The JSON response from Telegram’s API confirms that the stolen credentials were successfully sent to a private chat controlled by the attacker.”

Ongoing Evolution in Phishing Tactics

Group-IB warns that these techniques signify a continuous evolution in phishing methodologies: “Threat actors are quickly adapting, constantly refining and improving their techniques to bypass security measures and exploit vulnerabilities.”

Conclusion: A Growing Need for Vigilance

This campaign serves as a stark reminder of the ever-evolving nature of cyber threats. Organizations must strengthen their defenses and educate employees to identify and respond to increasingly sophisticated phishing attempts.

Read more »
Subscribe to: Comments (Atom)