Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Fraud. Show all posts
South Africa
Cyber Fraud Festive Scams Online fraud ransomware attacks South Africa

South Africa Warns of Cybercrime Surge Amid Festive Season

 

South Africa is experiencing a sudden and deeply concerning rise in cybercrime this holiday season, with consumers and businesses being warned to prepare for more aggressive attacks on digital banking, mobile applications and online services. 

Surge in festive-season attacks

The law firm Cox Yeats has witnessed a significant rise in cyberattacks themed around online shopping and digital payments, criminals are leveraging fake online shops, phishing emails, malicious QR codes and AI-powered impersonation scams to trick people into handing over credentials and payment data. They are encouraged to confirm any communications, transact only in official channels, avoid public Wi‑Fi when conducting transactions and use VPNs or mobile data, and report any suspicious activity as soon as possible.

The Information Regulator logged a total of 2 374 data breach cases that were officially reported for the 2024/25 period, averaging at a high of 200 incidents a month and increasing to about 300 monthly notifications in the current financial year—a 40% increase in security breaches. No organization is immune, as recent attacks have compromised government agencies, healthcare providers, financial institutions, retailers and telecommunication providers in ransomware, data theft and extortion. 

Financial and human cost 

The economic impact is devastating, with the median cost of a data breach to a local business now hovering near R49 million, a sum that can lay waste to even the most well-run small or medium-sized business. South African consumers lost more than R1 billion in 2023 alone through digital banking and mobile app scams, while SABRIC reckons annual losses to cyber-attacks could be as high as R3.3 billion, accompanied by 45% rise in digital banking fraud and a 47% increase in such related financial losses. 

Surveys cited by Mpahlwa show that 70% of South African consumers have fallen victim to cybercrime, compared with 50% globally, with 35% admitting to losing money in scams and 32% acknowledging that they clicked on phishing emails. The emotional strain is mounting too, with 58% of people expressing deep concern about becoming victims, a trend worsened by AI tools that make it easier for criminals to convincingly impersonate brands, colleagues and even family members. 

As ransomware continues to be a highly disruptive threat, with South Africa being the second most targeted country in Africa and third globally for cyberattacks, including double extortion attacks in which stolen data is threatened with being released to the public. Organisations are being advised to harden defences and have strong cyber insurance that covers loss of money, liability, business interruption, incidents relating to ransomware, breaches involving data, and the potential for fines from regulators as the threat landscape rapidly shifts.
Read more »
Scam Prevention
Cyber Fraud Fraud Alerts Holiday Scams Online Safety Scam Prevention

Holiday Scams Surge: How to Protect Yourself This Season

 

Scammers intensify their efforts during the holiday season, exploiting the rush, stress, and increased spending that characterize this time of year. The Federal Bureau of Investigation warns that fraud schemes spike significantly as criminals deploy sophisticated tactics—including AI-generated offers and phony delivery notifications—to steal money and personal information from unsuspecting victims.

The holiday period creates perfect conditions for fraudsters. People are distracted by family obligations, travel plans, and shopping deadlines, making them less likely to scrutinize suspicious messages or verify deals that appear too good to be true. With money flowing through shopping, travel bookings, and gift exchanges, scammers have numerous opportunities to exploit vulnerable targets.

Common holiday scams

Fake online shopping sites represent one of the most prevalent threats. These professional-looking storefronts advertise steep holiday discounts but disappear after collecting payments without delivering products. Consumers should navigate directly to trusted retailer websites rather than clicking promotional links and use credit cards for easier fraud disputes.

Phishing and smishing attacks flood inboxes with messages impersonating delivery services, claiming shipping problems or requesting order confirmations. These messages aim to harvest login credentials and financial details. Recipients should avoid clicking links in unexpected messages and instead manually type company URLs into browsers to verify account status.

Gift card scams involve tampering with physical cards to drain balances after activation or pressuring victims to pay with gift cards instead of standard methods. Purchasing cards directly from secure locations and retaining receipts provides protection against these schemes.Bogus charity operations emerge during the holidays, exploiting generosity through emotional donation requests. Donors should verify organizations using platforms like Charity Navigator before contributing funds.

Travel scams target holiday travelers with fake airline, hotel, or rental confirmations designed to collect money and personal information. Booking directly through official company channels and confirming reservations via verified apps prevents these frauds.Imposter scams feature criminals posing as customer service representatives on social media to extract sensitive data. 

Users should only engage with verified business accounts and never share personal details through direct messages.Non-delivery scams occur when buyers pay for goods they never receive or sellers ship items without receiving payment. Using platforms with buyer and seller protections minimizes these risks.

Protection strategies

Awareness and simple habits provide effective defense. Slowing down before clicking links, verifying sellers through reviews, and favoring credit cards over peer-to-peer payment apps significantly reduce risk. When urgency triggers suspicion, pausing to verify information can prevent costly mistakes and protect finances throughout the holiday season
Read more »
WhatsApp Security
Account Takeover browser hijacking Cyber Fraud Device Pairing End-to-End Encryption Identity Threats QR Phishing Social Engineering WhatsApp Security

GhostPairing Attack Puts Millions of WhatsApp Users at Risk

 


An ongoing campaign that aims to seize control of WhatsApp accounts by manipulating WhatsApp's own multi-device architecture has been revealed by cybersecurity experts in the wake of an ongoing, highly targeted attack designed to illustrate the increasing complexity of digital identity threats. 

Known as GhostPairing, the attack exploits the trust inherent in WhatsApp's system for pairing devices - a feature that allows WhatsApp Web users to send encrypted messages across laptops, mobile phones, and browsers by using the WhatsApp Web client. 

Through a covert means of guiding victims into completing a legitimate pairing process, malicious actors are able to link an attacker-controlled browser as a hidden companion device to the target account, without alerting the user or sending him/her any device notifications at all. 

The end-to-end encryption and frictionless cross-platform synchronization capabilities of WhatsApp remain among the most impressive in the industry, but investigators warn that these very strengths of the service have been used to subvert the security model, which has enabled adversaries to have persistent access to messages, media, and account controls.

Although the encryption remains intact in such a scenario technically, it will be strategically nullified if the authentication layer is compromised, allowing attackers to read and reply to conversations from within their own account. This effectively converts a feature that was designed to protect your privacy into an entry point for silent account takeovers, effectively converting a privacy-first feature into a security-centric attack.

Analysts have characterized GhostPairing as a methodical account takeover strategy that relies on WhatsApp’s legitimate infrastructure of device linkage as a means of obtaining access to accounts instead of compromising WhatsApp’s security through conventional methods of authentication. In this technique, users are manipulated socially so that they link an external device, under the false impression that they are completing a verification process. 

As a general rule, an attack takes place through messages appearing to come from trusted contacts, often compromised accounts, and containing links disguised as photos, documents, or videos. Once accessed by victims, these links lead them to fake websites meticulously modeled after popular social media platforms such as Facebook and WhatsApp, where allegedly the victim will be asked to enter his or her phone number as part of an authentication process. 

Moreover, the pages are designed to generate QR codes that are used to verify customer support, comply with regulations regarding KYC, process job applications, update KYC records, register promotional events, or recover account information. By scanning QR codes that mirror the format used by WhatsApp Web, users unintentionally link their accounts to those of attackers, not realizing they are scanning QR codes that are actually the same format used by WhatsApp Web. 

It is important to know that once the connection is paired, it runs quietly in the background, and the account owner does not receive an explicit login approval or security alert. Although WhatsApp’s encryption remains technically intact, the compromise at the device-pairing layer allows threat actors to access private communications in a way that effectively sidesteps encryption by allowing them to enter authenticated sessions from within their own account environment, even though WhatsApp’s encryption has remained unbroken technologically. 

The cybercriminals will then be able to retrieve historical chat data, track incoming messages in real time, view and transmit shared media — including images, videos, documents, and voice notes — and send messages while impersonating the legitimate account holder in order to take over the account. Additionally, compromised accounts are being repurposed as propagation channels for a broader range of targets, further enlarging the campaign's reach and scale. 

The intrusion does not affect normal app behavior or cause system instability, so victims are frequently unaware of unauthorized access for prolonged periods of time, which allows attackers to maintain persistent surveillance without detection for quite a while. 

The campaign was initially traced to users in the Czech Republic, but subsequent analysis has shown that the campaign's reach is much larger than one specific country. During their investigation, researchers discovered that threat actors have been using reusable phishing kits capable of rapid replication, which allows operations to scale simultaneously across countries, languages, and communication patterns. 

A victim's contact list is already populated with compromised or impersonated accounts, providing an additional layer of misplaced trust to the outreach, which is what initiates the attack chain. In many of these messages, the sender claims that they have found a photograph and invites their recipients to take a look at it through a link intentionally designed to look like the preview or media viewer for Facebook content. 

As soon as the link is accessed, users are taken to a fake, Facebook-branded verification page that requires them to authenticate their identity before they can view the supposed content. The deliberate mimicry of familiar interfaces plays a central role in lowering suspicions, thereby encouraging victims to complete verification steps with little hesitation, according to security analysts. 

A study published by Gen Digital's threat intelligence division indicates that the campaign is not relying on malware deployments or credential interceptions to execute. This malware manipulates WhatsApp's legitimate device-pairing system instead. 

As a consequence of the manipulation, WhatsApp allows users to link browsers and desktop applications together for the purpose of synchronizing messaging. Attackers can easily bind an unauthorized browser to an account by convincing the users to voluntarily approve the connection. In other words, they are able to bypass encryption by entering through a door of authentication that they themselves unknowingly open, rather than breaking it.

It has become increasingly apparent that threat actors are moving away from breaking encryption towards undermining the mechanisms governing access to it, as evidenced by GhostPairing. As part of this attack, people are using WhatsApp's unique feature: frictionless onboarding and the ability to link their devices to their account with just a phone number in order to extend your account to as many devices as they like. 

The simplicity of WhatsApp, often cited as a cornerstone of the company's global success, means that users don't have to enter usernames or passwords, reinforcing convenience, but inadvertently exposing more vulnerabilities to malicious use. WhatsApp's end-to-end encryption architecture further complicates things, since it provides every user with their own private key. 

Private cryptographic keys that are used to securely encrypt the content of the messages are stored only on the user's device, which theoretically should prevent eavesdropping unless an attacker is able to physically acquire the device or deploy malware to compromise it remotely if it can be accessed remotely. 

By embedding an attacker's device within an authenticated session, GhostPairing demonstrates that a social engineering attack can circumvent encryption without decrypting the data, but by embedding an attacker's device within a session in which encrypted content is already rendered readable, thus circumventing the encryption. 

Researchers have found that the technique is comparatively less scalable on platforms such as Signal, which supports only QR-based approvals for pairing devices, and this limitation has been noted to offer some protection against similar thematically driven device linking techniques. 

The analysts emphasize from a defensive standpoint that WhatsApp provides users with an option to see what devices are linked to them through their account settings section titled Linked Devices. In this section, unauthorized connections can, in principle, be identified, as well. The attackers may be able to establish silent persistence through fraudulently linking devices, but they cannot remove or revoke their device access themselves, since the primary registered device remains in charge of revocation. 

The addition of two-step PIN verification as a mitigation, which prevents attackers from making changes to an account's primary email address, adds additional hurdles for attackers. However, this control does not hinder access to messages once pairing has been completed. Especially acute consequences exist for organizations.

A common way for employees to communicate is via WhatsApp, which can sometimes lead to informal group discussions involving multiple members - many of which are conducted outside of formal documentation and oversight. It has been recommended by security teams to assume the existence of these shadow communication clusters, rather than treat them as exceptions, but as a default risk category. 

A number of industry guidelines (including those that have prevailed for the past five years) emphasize the importance of continued user awareness, and in particular that users should be trained in identifying phishing attempts, unsolicited spam, and the like, even if the attempt seems to come from well-known contacts or plausible verification attempts. 

The timing of the attack is difficult to determine when viewed from a broader perspective, but there are no signs that there is any relief. According to a report published by Meta in April of this year, millions of WhatsApp users had their mobile numbers exposed, and Meta confirmed earlier this year that the Windows desktop application had security vulnerabilities.

In parallel investigations, compromised Signal-based messaging tools have also been found to have been compromised by political figures and senior officials, confirming that cross-platform messaging ecosystems, regardless of whether or not they use encryption strength, are now experiencing identity-layer vulnerabilities that must be addressed with the same urgency as network or malware attacks have been traditionally addressed.

The GhostPairing campaign signals a nuanced, yet significant change in techniques for gaining access to accounts, which reflects a longer-term trend in which attackers attempt to gain access to identities through behavioral influence rather than technical subversion. 

Threat actors exploit WhatsApp's ability to link devices exactly as it was intended to work, whereas they decrypt the secure communication or override authentication safeguards in a way that seems to be more effective. 

They engineer moments of cooperation through the use of persuasive, familiar-looking interfaces. A sophisticated attack can be carried out by embedding fraudulent prompts within convincingly branded verification flows, which allows attackers to secure enduring access to victim accounts with very little technical skill, relying on legitimacy by design instead of compromising the systems.

There is a warning from security researchers that this approach goes beyond regional boundaries, as scalable phishing kits and interface mimicry enable multiple countries to deploy it across multiple languages. 

A similar attack can be attempted on any digital service that allows set-up via QR codes or numeric confirmation steps, irrespective of whether the system is built on a dedicated platform or not. This has an inherent vulnerability to similar attacks, especially when human trust is regarded as the primary open-source software vulnerability. 

Analysts have emphasized that the attack's effectiveness stems from the convergence of social engineering precision with permissive multi-device frameworks, so that it allows adversaries to penetrate encrypted environments without any need to break the encryption at all — and to get to a session in which all messages have already been decrypted for the authenticated user. 

It is encouraging to note that the defensive measures necessary to combat such threats are still relatively straightforward. The success rate of such deception-driven compromises could be significantly reduced if regular device hygiene audits, greater user awareness, and modest platform refinements such as clearer pairing alerts and tighter device verification constraints were implemented. 

Especially for organizations that are exposed to undocumented employee group chats that operate outside the formal oversight of the organization are of crucial importance for reducing risk. User education and internal reporting mechanisms are crucial components of mitigating risks. 

Amidst the rapid increase in digital interactions, defenders are being urged to treat vigilance in the process not as an add-on practice, but rather as a foundational layer of account security for the future. GhostPairing's recent appearance serves to serve as a reminder that the security of modern communication platforms is no longer solely defined by encryption standards, rather by the resilience of the systems that govern access to them, and that the security of these systems must be maintained at all times.

It is evident that as messaging ecosystems continue to grow and integrate themselves into everyday interactions — such as sharing personal media or coordinating workplace activities — the balance between convenience and control demands renewed scrutiny. 

It is strongly advised for users to follow regular digital safety practices, such as verifying unexpected links even if they are sent by familiar contacts, regularly auditing linked devices, and activating two-factor safeguards, such as two-step PIN verification, to ensure that their data is secure.

As organizations become increasingly aware of threats beyond the perimeter of their organizations, they should cultivate a culture of internal threat reporting that ensures that unofficial communication groups are acknowledged in risk models rather than ignored. 

Security teams are advised to conduct phishing awareness drills, make device-pairing alerts more clear at the platform level, and conduct periodic access hygiene reviews of widely used communication channels, such as encrypted messengers, for a number of reasons. 

With the incidence of identity-layer attacks on the rise, researchers emphasize that informed users remain the best countermeasure against silent account compromise - making awareness the best strategic strategy in the fight against silent account compromises, not only as a reactive habit, but as a long-term advantage.
Read more »
Subscription Abuse
Cyber Fraud Identity Theft PayPal Scam Phishing Campaign Subscription Abuse

PayPal Subscriptions Exploited in Sophisticated Email Scam

 

Hackers have found a clever way to misuse PayPal's legitimate email system to send authentic looking phishing scams that are able to bypass security filters and look genuine to the end users.

Over the last few weeks, users are complaining that they are receiving emails from PayPal's legitimate address "service@paypal.com" informing that their automatic payment has expired. The emails successfully pass all the usual security checks such as DKIM and SPF authentication and have proved to be coming directly from PayPal’s mail servers. 

One of the reasons these messages are potent is that the scammers have altered the Customer Service URL to take users to their own websites from where they can see fake purchase notifications, claiming victims have purchased high-priced electronics such as MacBooks, iPhones, or Sony devices for USD 1,300 to 1,600.

The spam text message contains Unicode characters which can make the words bold or in different fonts, all this is to help to get round spam filters and keyword detection. Instead, the messages tell recipients to call a phony “PayPal support” phone number to cancel or dispute the alleged charges. 

BleepingComputer's analysis of logs and transactions shows that the PayPal Subscriptions feature is being abused by scammers. When merchants hold a subscriber's subscription, they can do so with their own mechanism, and PayPal, in turn, will notify subscribers via email. PayPal seems to be vulnerable to a subscription metadata attack - perhaps in an API or legacy platform - which lets attackers insert arbitrary text in the Customer Service URL field (it normally only accepts valid URLs). 

The scammers can forge emails and register a fake subscriber account for an email address associated with Google Workspace mailing list. When these accounts receive the notification from PayPal, the mailing list service sends what looks like a legitimate e-mail from PayPal to the list of "victims", making it looks more and more like a scam.

Safety measures

Recipients should ignore these emails and avoid calling the provided phone numbers. These tactics historically aim to facilitate bank fraud or trick victims into installing malware on their devices . PayPal confirmed awareness of the scam and recommends customers contact support directly through the official PayPal app or website if they suspect fraudulent activity. Users concerned about account compromise should log into their PayPal account directly rather than clicking email links to verify whether any unauthorized charges actually occurred.
Read more »
money mules
Bank Accounts Cyber Fraud Financial Fraud Money Laundering money mules

Why Banks Must Proactively Detect Money Mule Activity



Financial institutions are under increasing pressure to strengthen their response to money mule activity, a growing form of financial crime that enables fraud and money laundering. Money mules are bank account holders who move illegally obtained funds on behalf of criminals, either knowingly or unknowingly. These activities allow criminals to disguise the origin of stolen money and reintroduce it into the legitimate financial system.

Recent regulatory reviews and industry findings stress upon the scale of the problem. Hundreds of thousands of bank accounts linked to mule activity have been closed in recent years, yet only a fraction are formally reported to shared fraud databases. High evidentiary thresholds mean many suspicious cases go undocumented, allowing criminal networks to continue operating across institutions without early disruption.

At the same time, banks are increasingly relying on advanced technologies to address the issue. Machine learning systems are now being used to analyze customer behavior and transaction patterns, enabling institutions to flag large volumes of suspected mule accounts. This has become especially important as real-time and instant payment methods gain widespread adoption, leaving little time to react once funds have been transferred.

Money mules are often recruited through deceptive tactics. Criminals frequently use social media platforms to promote offers of quick and easy money, targeting individuals willing to participate knowingly. Others are drawn in through scams such as fake job listings or romance fraud, where victims are manipulated into moving money without understanding its illegal origin. This wide range of intent makes detection far more complex than traditional fraud cases.

To improve identification, fraud teams categorize mule behavior into five distinct profiles.

The first group includes individuals who intentionally commit fraud. These users open accounts with the clear purpose of laundering money and often rely on stolen or fabricated identities to avoid detection. Identifying them requires strong screening during account creation and close monitoring of early account behavior.

Another group consists of people who sell access to their bank accounts. These users may not move funds themselves, but they allow criminals to take control of their accounts. Because these accounts often have a history of normal use, detection depends on spotting sudden changes such as unfamiliar devices, new users, or altered behavior patterns. External intelligence sources can also support identification.

Some mules act as willing intermediaries, knowingly transferring illegal funds for personal gain. These individuals continue everyday banking activities alongside fraudulent transactions, making them harder to detect. Indicators include unusual transaction speed, abnormal payment destinations, and increased use of peer-to-peer payment services.

There are also mules who unknowingly facilitate fraud. These individuals believe they are handling legitimate payments, such as proceeds from online sales or temporary work. Detecting such cases requires careful analysis of transaction context, payment origins, and inconsistencies with the customer’s normal activity.

The final category includes victims whose accounts are exploited through account takeover. In these cases, fraudsters gain access and use the account as a laundering channel. Sudden deviations in login behavior, device usage, or transaction patterns are critical warning signs.

To reduce financial crime effectively, banks must monitor accounts continuously from the moment they are opened. Attempting to trace funds after they have moved through multiple institutions is costly and rarely successful. Cross-industry information sharing also remains essential to disrupting mule networks early and preventing widespread harm. 

Read more »
Sensitive data
Cyber Fraud Doxing Email Law Enforcement Sensitive data

Hackers Are Posing as Police to Steal User Data from Tech Companies

 


Cybersecurity investigators are warning about a spreading threat in which cybercriminals impersonate law enforcement officers to unlawfully obtain sensitive user information from major technology companies. These attackers exploit emergency data request systems that are designed to help police respond quickly in life-threatening situations.

In one documented incident earlier this year, a US internet service provider received what appeared to be an urgent email from a police officer requesting user data. The request was treated as authentic, and within a short time, the company shared private details belonging to a gamer based in New York. The information included personal identifiers such as name, residential address, phone numbers, and email contact. Later investigations revealed that the email was fraudulent and not sent by any law enforcement authority.

Journalistic review of internal evidence indicates that the message originated from an organized hacking group that profits by selling stolen personal data. These groups offer what is commonly referred to as doxing services, where private information is extracted from companies and delivered to paying clients.

One individual associated with the operation admitted involvement in the incident and claimed that similar impersonation tactics have worked against multiple large technology platforms. According to the individual, the process requires minimal time and relies on exploiting weak verification procedures. Some companies acknowledged receiving inquiries about these incidents but declined to provide further comment.

Law enforcement officials have expressed concern over the misuse of officer identities, particularly when attackers use real names, badge numbers, and department references to appear legitimate. This tactic exponentially increases the likelihood that companies will comply without deeper scrutiny.

Under normal circumstances, police data requests are processed through formal legal channels, often taking several days. Emergency requests, however, are designed to bypass standard timelines when immediate harm is suspected. Hackers take advantage of this urgency by submitting forged documents that mimic legitimate legal language, seals, and citations.

Once attackers obtain a small amount of publicly accessible data, such as a username or IP address, they can convincingly frame their requests. In some cases, falsified warrants were used to seek even more sensitive records, including communication logs.

Evidence reviewed by journalists suggests the operation is extensive, involving hundreds of fraudulent requests and generating substantial financial gain. Materials such as call recordings and internal documents indicate repeated successful interactions with corporate legal teams. In certain cases, companies later detected irregularities and blocked further communication, introducing additional safeguards without disclosing technical details.

A concerning weakness lies in the fragmented nature of US law enforcement communication systems. With thousands of agencies using different email domains and formats, companies struggle to establish consistent verification standards. Attackers exploit this by registering domains that closely resemble legitimate police addresses and spoofing official phone numbers.

Experts note that many companies still rely on email-based systems for emergency data requests and publicly available submission guidelines. While intended to assist law enforcement, these instructions can unintentionally provide attackers with ready-made templates.

Although warnings about fake emergency requests have circulated for years, recent findings show the practice remains widespread. The issue gives centre stage to a broader challenge in balancing rapid response with rigorous verification, especially when human judgment is pressured by perceived urgency. Without systemic improvements, trust-based processes will continue to be abused.


Read more »
Tech Support Scam
Bitcoin ATM Scam Call Center Scam Cross Border Cybercrime Cryptocurrency Fraud Cyber Fraud CyberCrime Cybersecurity Investigation Fake Microsoft Support Tech Support Scam

Fake Microsoft Support Call Center Scam Targeting US Citizens Brought Down


 

An investigation by the Bengaluru police has revealed that a sophisticated cyber fraud operation was operating in the city masquerading as Microsoft Technical Support, targeting U.S. citizens in an attempt to defraud them, bringing an end to a transnational scam network that has been working from the city for some time. 

On Saturday, the Special Cell of the Cyber Command, in coordination with the Cyber Crime Police of the Whitefield Division, conducted a raid at the premises of a firm known as Musk Communications in response to certain intelligence. 

The raid was conducted based on specific intelligence. A number of investigations have revealed that the company, which began operations in August, has established a scam center that is fully functional and consists of approximately 4,500 square feet of space, where employees allegedly pose as Microsoft support technicians in order to deceive foreign nationals and defraud them. 

Several individuals have been arrested from the facility for being directly involved in the fraudulent activities, according to police. This operation was designed with the intent of systematically exploiting overseas victims through carefully orchestrated technical support scams, and according to police, 21 individuals have been arrested. Several rented office spaces were used by the racket, where callers dressed up as Microsoft representatives and targeted residents throughout the country as a whole. 

A number of victims have been targeted either directly or through deceptive pop-up messages that falsely stated that their computer was infected with malware or had been compromised, leading them to be lured in. Once the callers had established a connection with the target, they convinced them to install remote access applications like AnyDesk or TeamViewer, which allowed the fraudsters to take control of the target computer system. 

During these scams, police allege that the accused intentionally generated false technical glitches, frozen computer screens, or generated fake virus alerts to increase anxiety in victims and coerce them into paying for services that were unnecessary, nonexistent, or unreliable. 

According to investigators, the group has been charging amounts ranging from several hundred dollars up to several thousand dollars for sham repairs, extended warranties, and counterfeit security subscriptions. According to investigators, the organization may have facilitated the funneling of crores of rupees through international payment gateways designed to obscure financial records for over a year. 

The raid resulted in the discovery of 35 computers, 45 mobile phones, Voice over IP-based communication systems, scripted call templates, and extensive customer data logs which contained the details of hundreds of prospective targets and a variety of other items. It has been reported that the arrestees were trained to adopt an American accent so as not to raise suspicion, underscoring the systematic and calculated nature of the fraud.

As a result of this case, the police said that cross-border technology support scams are becoming increasingly prevalent, preying on seniors and digitally vulnerable individuals overseas, and that further investigations are currently underway to find out who was behind the fraud, who provided the money, and who was involved in it overseas.

According to Bengaluru Police Cyber Crime Division officials, the syndicate targeted victims both in the United States and in the United Kingdom. It falsely appeared to represent itself as Microsoft's technical support department. 

During the course of the investigation, it was learned that callers escalated the deception by citing fabricated Federal Trade Commission violations, informing victims that their systems were being compromised or that they were being involved in unlawful online activity. This fraudster has allegedly demanded substantial payments in Bitcoin as a means of resolving these purported threats, and instructed victims to deposit money at cryptocurrency ATMs. 

According to police estimates, the individual losses are estimated to have averaged around $10,000. A number of intimidation tactics were employed to pressure compliance by the operation, including false legal penalties and urgent cyber alerts. Senior IPS officers confirmed that the majority of those targeted were elderly individuals who are not familiar with digital security practices. 

Further inquiries revealed that there were nearly 85 people employed in Bengaluru to manage the company's data, handle calls, and simulate foreign technology executives, in a professionally layered setup. There were a number of elements involved in the operation, including American accents, detailed scripts, and email addresses that were designed to mimic official Microsoft and U.S. regulatory addresses. 

It was the task of those arrested to extract personal and financial information during staged troubleshooting sessions, which then allowed payments to be converted to cryptocurrency, which disguised the financial trail in the process. It has been reported that backend systems linked the operation to foreign digital wallets and crypto exchanges that are already under scrutiny by US authorities. 

As a result of this investigation, the investigators are now looking at tracking Bitcoin transactions and identifying international collaborators involved in routing the proceeds. The government is collaborating with Interpol and the federal government to map digital wallet movements and preliminary findings indicate that between August and November 2025, at least $13.5 crore was transferred in multiple tranches through Bitcoin ATMs in multiple batches. 

Additionally, analysts are analyzing the seized servers to find out how the syndicate sourced contact information of overseas victims. As officials pointed out, Bengaluru is becoming increasingly vulnerable to cybercrime networks worldwide. 

It is due to this that skilled manpower and readily available digital infrastructure are being exploited by fraud rings operating under the cover of technology support firms in Bengaluru, prompting tighter monitoring of the registration of startups, co-working spaces, and tech parks around the city. 

Since August, investigators have discovered that the network has contacted 150 victims across the United States and the United Kingdom, coercing them into depositing large sums of money-often close to $10,000-through Bitcoin ATMs, causing them to withdraw substantial sums. In a statement to the IPS, a senior officer stated that authorities are currently extracting and verifying financial information about victims. 

The officer also stated that preliminary findings indicate cryptocurrency kiosks are the primary means by which illicit payments are collected. A police report states that the accused posed as a technical support representative for Microsoft around the world and invoked fabricated Federal Trade Commission violations as a way of instilling fear in the public. Under the guise of mandatory security fixes and regulatory compliance procedures, the accused demanded money. 

According to the reports, the operation's three key masterminds remain absconding and are believed to have orchestrated similar scams targeting victims across the U.S. and the U.K. since 2022. In a scheme of this magnitude, Musk Communications rented a 4,500-square-foot office space in August at a monthly charge of Rs. 5 lakh, where the gang planned to deploy malicious Facebook ads that were targeted at American users as part of its campaign against the US government.

 In the ads, investigators found embedded code that mimicked legitimate security alerts; when clicked on, it would freeze the user's system and trigger a fake pop-up message that appeared to be from Microsoft's global support center with a counterfeit helpline number, which claimed to originate from that support center. 

According to the alleged victim, who contacted the number was told that their computer systems had been hacked, IP addresses had been compromised, and their banking information had been compromised, and they were subsequently pressured into making high-value payments using Bitcoin ATMs, which subsequently triggered the scam.

According to the Police, the company employed 83 employees, including 21 technical operators who were directly involved in the fraud. The salaries for these employees ranged from $15k to $25k per month. Among the other arrests confirmed by investigators in this case was Ravi Chauhan, an Ahmedabad resident, alleged to have been a major part of recruiting nearly 85 staff members for this operation. This brings the total number of arrests in this case to 22 as the investigation continues to pursue remaining suspects and the financial flows that are tied to this scheme. 

There has been a surge in organized cybercrime syndicates operating across borders in recent years, and authorities have issued warnings about the evolving tactics and techniques they are using, particularly those that exploit the trust people have in recognized technology brands internationally. 

Moreover, the police emphasized that legitimate companies such as Microsoft should not initiate unsolicited technical support calls, issue pop-up warnings butting into the system immediately, or seek payments through cryptocurrency channels in order to receive support. 

It was urged by officials that users, particularly those who were unfamiliar with digital platforms and elderly, should exercise caution when faced with alarming online messages or calls claiming legal or security violations, and that they should verify the claims by going to official websites or using authorised service channels.

It has also been emphasized by cybercrime investigators that the need for stronger awareness campaigns needs to be strengthened, short-term commercial rentals need to be closely scrutinized, and online advertising platforms need to be more tightly regulated so they can deliver malicious content on a more regular basis.

This investigation is continuing to trace financial flows and international connections, and authorities are stating that the case serves as a reminder of how sophisticated and large-scale modern tech-support fraud really is, underscoring the need for digital literacy, cross-border cooperation, and timely reporting as a way of counteracting scams that take advantage of fear, urgency, and misinformation.
Read more »
PayPal subscription scam
Cyber Fraud PayPal email scam PayPal fake purchase alert PayPal phishing emails PayPal subscription scam

PayPal Subscription Feature Exploited to Send Real Emails With Fake High-Value Purchase Alerts

 

A new email scam is misusing PayPal’s Subscriptions billing system to send genuine PayPal emails that contain fraudulent purchase claims hidden inside the Customer Service URL field.

Over the last few months, multiple users have reported receiving PayPal emails stating, "Your automatic payment is no longer active." While the message appears routine, the Customer Service URL field has been manipulated to display alarming text claiming the recipient bought an expensive product such as a Sony device, MacBook, or iPhone.

The embedded message typically mentions a payment ranging between $1,300 and $1,600, includes a suspicious domain name, and provides a phone number that victims are urged to call to cancel or dispute the charge. Scammers use Unicode characters to alter fonts and emphasize certain words, a technique designed to bypass spam filters and keyword detection systems.

"http://[domain] [domain] A payment of $1346.99 has been successfully processed. For cancel and inquiries, Contact PayPal support at +1-805-500-6377," reads the customer service URL in the scam email.

Although the content is fraudulent, the emails are sent directly from service@paypal.com
, which causes confusion and concern among recipients who fear their PayPal accounts may have been compromised. Because the messages originate from PayPal’s legitimate mail servers, they often bypass spam and security filters.

The primary objective of this scam is to frighten recipients into believing their account was used to make a costly purchase, prompting them to call the fake “PayPal support” number. Such calls are typically used to carry out bank fraud or persuade victims to install malicious software on their devices.

Users who receive these emails are advised not to call the listed number. If there is concern about account security, the safest approach is to log in directly to PayPal and verify whether any unauthorized transaction has occurred.

How the PayPal scam works

BleepingComputer reviewed a copy of the email and confirmed that it was sent from PayPal’s official infrastructure. Email headers show that the messages pass SPF, DKIM, and DMARC checks and originate from PayPal’s mx15.slc.paypal.com mail server.

Further investigation revealed that the same email template can be triggered by using PayPal’s Subscriptions feature. This tool allows merchants to set up recurring billing for services. When a subscription is paused, PayPal automatically sends the subscriber an email stating that their automatic payment is no longer active.

Under normal circumstances, PayPal restricts the Customer Service URL field to valid URLs only. However, in this case, scammers appear to be exploiting a weakness in how subscription metadata is handled or using an alternative method—possibly via an API or legacy system—that permits invalid text to be stored in that field.

What remains unclear is how these emails reach individuals who never signed up for the subscription. Mail headers indicate that PayPal sends the message to an address believed to belong to a fake subscriber account created by the scammer. This address is likely linked to a Google Workspace mailing list, which automatically forwards the email to all its members—the intended victims.

Such forwarding can cause later SPF and DMARC checks to fail, since the message is relayed by servers other than PayPal’s original mail system.

PayPal has acknowledged the issue and confirmed that action is being taken.

“PayPal does not tolerate fraudulent activity and we work hard to protect our customers from consistently evolving phishing scams," PayPal told BleepingComputer.

"We are actively mitigating this matter, and encourage people to always be vigilant online and mindful of unexpected messages. If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance."
Read more »
text message scams
Cyber Fraud cybersecurity tips Email Scams fake URLs holiday phishing scams online fraud prevention scam links text message scams

Holiday Scam Alerts Rise: How to Spot Fake Links and Stay Safe From Phishing Attacks

 

As the festive season rolls in with cozy drinks, twinkling lights and gift exchanges, it also brings a sharp spike in online scams. Cybercriminals are working overtime during the holidays, using increasingly advanced tactics to trick people into clicking malicious links or sharing sensitive information. Distinguishing between a real website and a fraudulent one has never been more challenging.

Stopping these digital grinches is a constant battle. Data from the FBI’s Internet Crime Complaint Center shows that phishing and spoofing scams drained more than $70 million from victims during the 2024 holiday season alone.

What makes these scams particularly dangerous is how convincing they’ve become. Many fraudulent links now use standard “https” encryption and domain names that closely resemble legitimate brands, making them appear authentic at first glance.

Clicking on a scam link can lead to serious consequences beyond a ruined holiday mood. Victims may face financial losses, unknowingly hand over credit card details to a fake “Secret Santa,” or download malware that can lock up devices in seconds. Understanding how to identify and avoid scam links is key to staying protected this season.

How to identify scam links

Scam links commonly appear in phishing emails, text messages, social media messages and other forms of digital communication. Their goal is to lure users into downloading malware or entering personal and financial information on fake websites. Popular schemes include unpaid toll notices, fake investment offers, gold bar scams and fraudulent job opportunities.

Cybercriminals often send these messages in bulk, increasingly using artificial intelligence to make them seem legitimate. Despite repeated warnings, enough people fall for these scams each year to keep the cycle going.

Here’s how you can avoid taking the bait.

1. Check the URL carefully : “Smartphones do their best to block scam links, so attackers use tricks to make their links clickable,” said Joshua McKenty, CEO of Polyguard.ai, a cybersecurity company that helps businesses protect mobile phones and call centers from AI-driven phishing scams.

He advises watching for red flags such as an “@” symbol within the URL or two web addresses combined using a question mark — especially if the first part looks like a trusted site such as Google.com or Apple.com.

Dave Meister, a cybersecurity spokesperson for global cybersecurity company Check Point, noted that hovering over a link can often reveal its true destination. He also warned users to be alert for “typo-squatting,” where fake URLs closely mimic real ones, such as using “PayPa1” instead of “PayPal.”

2. Stick to familiar domains : Being familiar with the websites you regularly visit can significantly reduce risk.

“Major brands, especially banks and retailers, don't often change up their domain names,” McKenty said. “If the link says Chase.com, it's likely safe. If it says, Chase-Banking-App.com, stay away.”

Shortened links are common in text messages and on social media, but they’re risky. “Sadly, there's no safe way to check a shortened URL,” McKenty said, recommending that people avoid clicking them altogether.

Links from services like Bit.ly or Shorturl may still display “https://,” which can be misleading. In these cases, it’s important to read the message closely and watch for urgency, threats or pressure to act quickly — all classic scam tactics.

Common ways scam links reach victims

1. Text message scams : Not all scams rely on website links. Phone numbers themselves are often used to deceive victims.

“People get tricked into clicking a phone number that's not actually their bank or the IRS, and then surrendering identity information on the phone,” McKenty said.

Engaging with scammers, even out of curiosity, can make things worse. Responding may signal that your number is active, encouraging repeat attempts.

2. Email scams : Emails remain one of the most costly scam channels. McKenty noted that although text scams are increasing, “the biggest dollar losses are still the classic email scams.” He recommends copying suspicious links into a notes app to inspect them carefully rather than clicking directly.

3. QR code scams : QR codes have also become a growing threat. “QR codes have become the new stealth weapon, used everywhere from restaurant menus to parking meters,” said Meister.

“Scammers are known to slap fake codes on top of real ones in public, or embed them in phishing emails, linking to cloned websites or malware downloads,” he said.

Before scanning, consider whether the QR code makes sense in that location. Codes found on random objects or in unexpected emails are best avoided.

4. Social media direct messages: Scammers often hijack or impersonate social media accounts belonging to people you know.

If a message from a relative or friend suddenly sounds aggressive, sales-driven or out of character — especially if it includes a link — verify by contacting them directly before clicking.

What to do if you already clicked a scam link

If you’ve clicked on a suspicious link, the outcome depends on your device’s security protections. Firewalls or antivirus software may block the threat automatically. Without protection, however, action may be needed.

Here are steps to take immediately:
  • Install or update antivirus software: Use reputable free or paid antivirus tools to scan and remove potential threats from your computer.
  • Watch for signs of malware: Phones are not immune. If infected, avoid using financial apps, clear your browser cache, delete unfamiliar apps or perform a factory reset. Contact your device’s tech support if needed.
  • Notify your bank or card issuer: If you accessed financial accounts on a compromised device, alert your institution as a precaution.
  • Report the scam: If you lost money, report the incident to the Federal Trade Commission and your local police department. Reporting helps authorities warn others and reduce future victims.

Staying alert and informed is your best defense against holiday scams — and the best way to keep the season joyful and secure.
Read more »
Virtual Kidnapping
AI Manipulation Cyber Fraud Cybersecurity Threats deepfake scams Digital Extortion FBI warning fraud prevention Online Safety Ransom Schemes Virtual Kidnapping

Crimes Extorting Ransoms by Manipulating Online Photos

 


It is estimated that there are more than 1,000 sophisticated virtual kidnapping scams being perpetrated right now, prompting fresh warnings from the FBI, as criminals are increasingly using facial recognition software to create photos, videos, and sound files designed to fool victims into believing that their loved ones are in immediate danger. 

As a result of increasing difficulty in distinguishing authentic content from digital manipulation, fraudsters are now blending stolen images with hyper-realistic artificial intelligence tools to fabricate convincing evidence of abductions, exploiting the growing difficulty of distinguishing authentic content from digital manipulation in the current era.

It is quite common for victims to be notified via text message that a family member had been kidnapped and that escalating threats demand that an immediate ransom be paid. 

A scammer often delivers what appears to be genuine images of the supposed victim when the victim requests proof, often sent through disappearing messages so that the fake identity cannot be inspected. This evolving approach, according to the FBI, represents a troubling escalation of extortion campaigns, one that takes advantage of panic as well as the blurred line between real and fake identity as it relates to digital identities. 

The FBI has released a public service announcement stating that criminals are increasingly manipulating photos from social media to manufacture convincing "proof-of-life" materials for use in virtual kidnapping schemes based on photos taken from social media and other open sources. As a rule, offenders contact victims by text, claim to have abducted their loved ones, and request an immediate payment while simultaneously using threats of violence as a way to heighten fear. 

It has been reported that scammers often alter photos or generate videos using Artificial Intelligence that appear authentic at first glance, but when compared to verified images of the supposed victim, inconsistencies are revealed—such as missing tattoos, incorrect scars, or distorted facial or body proportions—and thus make the images appear authentic. 

Often, counterfeit materials are sent out through disappearing message features so that careful analysis is limited. As part of the PSA, malicious actors often exploit emotionally charged situations, such as public searches for missing persons, by posing as credible witnesses or supplying fabricated information. Several tips from the FBI have been offered by the FBI to help individuals reduce vulnerability in the event of a cyber incident. 

The FBI advises people to be cautious when posting personal images online, avoid giving sensitive information to strangers, and develop a private verification method - like a family code word - for communication during times of crisis. When faced with ransom demands, the agency advises anyone targeted to do so to remain calm, take a photo or a message of the purported victim, and attempt to contact the purported victim directly before responding to the demand. 

As a result of recent incidents shared by investigators and cybersecurity analysts, it has become increasingly apparent just how convincing it is for criminals to exploit both human emotions and new technological advances to create schemes that blur the line between reality and fiction. 

A Florida woman was defrauded of $15,000 after receiving a phone call from scammers in which the voice of her daughter was cloned by artificial intelligence and asked for help. There was a separate case where parents almost became victims of the same scheme, when they were approached by criminals who impersonated their son and claimed that he was involved in a car accident and needed immediate assistance in order to recover from that situation. 

However, the similarities and differences between these situations reflect a wider pattern: fraud operations are becoming increasingly sophisticated, impersonating the sounds, appearances, and behaviors of loved ones with alarming accuracy, causing families to make hasty decisions under the pressure of fear and confusion, which pushes the victim into making hasty decisions. Experts have stressed that vigilance must go beyond just basic precautions as these tactics evolve. 

There is a recommendation to limit the amount of personal information you share on social media, especially travel plans, identifying information or real-time location updates, and to review your privacy settings to restrict access to trusted contacts. 

In addition, families should be encouraged to establish a private verification word or phrase that will help them verify their identity when in an emergency, and to try to reach out to the alleged victim through a separate device before taking any action at all. There are many ways in which people can minimize our exposure to cybercriminals, including maintaining strong, unique passwords, using reputable password managers, and securing all our devices with reliable security software. 

The authorities emphasize that it is imperative that peopl resist the urgency created by these scams; slowing down, verifying claims, documenting communications and involving law enforcement are crucial steps in preventing financial and emotional harm caused by these scams. 

According to the investigators, even though public awareness of digital threats is on the rise, meaningful security depends on converting that awareness into deliberate, consistent precautions. Despite the fact that it has yet to be widely spread, the investigation notes that the scheme has been around for several years and early reports surfacing in outlets such as The Guardian much before the latest warnings were issued.

Despite the rapid advancement of generative AI tools, experts say that what has changed is that these tactics have become much easier to implement and more convincing, prompting the FBI to re-issue a new alert. As the FBI points out, the fabricated images and videos used in these schemes are rarely flawless, and when one carefully examines them, one can often find evidence that they are manipulated, such as missing tattoos, altered scars, and subtle distortions in the proportions of the body.

A scammer who is aware of these vulnerabilities will often send the material using timed or disappearing message features, so that a victim cannot carefully examine the content before it disappears, making it very difficult for him or her to avoid being duped. 

In this PSA, it is stressed that it is crucial to maintain good digital hygiene to prevent such scams from occurring: limiting personal imagery shared online, being cautious when giving out personal information while traveling, and establishing a private family code word for verifying the identity of a loved one in an emergency. Before considering any financial response, the FBI advises potential targets to take a moment to attempt to speak directly to the supposedly endangered family member. 

In an era when these threats are being constantly tracked by law enforcement and cybersecurity experts, they are cautioning that the responsibility for prevention has increasingly fallen on the public and their proactive habits. 

By strengthening digital literacy—such as learning how to recognize subtle signs of synthetic media, identifying messages that are intended to provoke fear, and maintaining regular communication routines within the family people can provide powerful layers of protection against cybercrime. Moreover, online experts recommend that people diversify their online presence by not using the same profile photograph on every platform they use and by reviewing their social media archives for any old posts that may inadvertently expose personal patterns or personal relationships.

There are many ways in which communities can contribute to cybersafety, including sharing verified information, reporting suspicious events quickly, and encouraging open discussion about online safety among children, parents, and elderly relatives who are often targeted as a result of their trust in technology or lack of familiarity with it. 

Despite the troubling news of the FBI's warning regarding digital extortion, it also suggests that a clear path to reducing the impact and reach of these emotionally exploitative schemes can be found if people remain vigilant, behave thoughtfully online, and keep ourselves aware of our surroundings.
Read more »
RTO challan scam
Android malware scam Cyber Fraud cyber fraud India fake e-challan WhatsApp scam malicious APK spyware RTO challan scam

Fake RTO e-Challan WhatsApp Scam Resurfaces: Fraudsters Push Spyware Through Malicious APK Files

 

Cybercriminals have once again revived an old trick—but with a more convincing disguise. This time, scammers are exploiting the name of the official RTO e-challan system to deceive smartphone users. Over the past year, malicious APK files have been circulated in the form of fake wedding invitations, PM-Kisan alerts, courier updates, and KYC notices. Now, the same method is being used to send fraudulent “RTO Challan” messages on WhatsApp, luring victims into installing powerful spyware.

The fraud begins with a seemingly urgent WhatsApp alert claiming that a traffic challan has been issued against the recipient’s vehicle. The message includes a link or an attachment labelled as an e-challan file. Many users, acting out of fear or confusion, click the file—unknowingly giving criminals full access to their device.

Victims typically receive a message saying: “An e-challan has been issued for your vehicle. Download the file below to view details.”

The attachment is an APK file with names like RTO_Challan.apk or E-Challan_Details.apk. Once downloaded, the file installs automatically on Android phones and begins functioning as spyware.

After installation, the malware:

  • Provides hackers complete remote access to the device

  • Captures banking app information, OTPs, contacts, and personal files

  • Automatically sends the same malicious APK to all WhatsApp contacts

  • Enables criminals to execute online banking transactions undetected

Cyber experts warn that this form of malware is extremely dangerous because no further interaction is required—the victim’s phone essentially becomes a control panel for the fraudster.

APK (Android Package Kit) files are standard installation packages for Android apps. While apps on the Google Play Store undergo safety checks, APKs sent through WhatsApp, SMS, email, or Telegram do not. Many users mistake APK files for regular documents or images and tap them without realizing the risk. This lack of awareness makes such scams highly effective.

How the scam could evolve further

Scammers typically exploit themes that trigger fear, urgency, or excitement. Experts believe similar APK-based attacks may soon appear in the form of:

  • PM-Kisan installment notifications

  • Overdue electricity bill alerts

  • Passport or courier delivery updates

  • Lottery or prize winnings

  • Bank KYC reminders

  • Government scheme eligibility messages

While the topics may change, the underlying tactic remains the same: tricking users into downloading malware via a fake APK.

7 essential safety steps

  • Never download APK files received through WhatsApp—even from known contacts.

  • Verify real traffic challans only through: echallan.parivahan.gov.in

  • Remember: wedding invitations, PDFs, photos, and government documents never come in .apk format.

  • If a known person sends an APK, call to confirm—it may be sent from a hacked account.

  • Disable Install apps from unknown sources in your device settings.

  • If you downloaded a suspicious APK:

    • Turn off mobile data/Wi-Fi immediately

    • Uninstall the unknown app

    • Change all banking passwords and PINs

  • In case of financial fraud, call 1930 (National Cyber Fraud Helpline) without delay.

As digital transactions become more common, cyber risks continue to grow. The ongoing fake RTO challan scam is a strong reminder to stay vigilant—check every link, scrutinize every file, and never trust unsolicited messages.

Most importantly, ensure senior citizens and less tech-savvy users are informed, as they are the most vulnerable. Just one infected APK is enough to compromise your phone and drain your bank account in minutes.

Read more »
User Security
Cyber Fraud FBI IC3 Impersonation phishing User Security

FBI Warns of Cybercriminals Impersonating IC3 to Steal Personal Data

 

The FBI has issued a public service announcement warning that cybercriminals are impersonating the FBI’s Internet Crime Complaint Center (IC3) and even cloning its website to steal victims’ personal and financial data.Attackers are exploiting public trust in federal law enforcement by creating fake IC3-branded domains and lookalike reporting portals, then driving victims to these sites via phishing emails, messages, and search engine manipulation so people think they are filing a legitimate cybercrime report. 

The alert—referenced as PSA I-091925—describes threat actors spoofing the official IC3 website and related communications, with the goal of harvesting names, home addresses, phone numbers, email addresses, and banking details under the pretext of gathering evidence for an investigation or helping recover lost funds.The FBI stresses that visiting these fake sites or responding to unsolicited “IC3” outreach could lead not only to identity theft and financial fraud but also to further compromise through follow‑on scams using the stolen data.

Security experts situates this campaign within a broader surge in impersonation attacks, noting that law enforcement, government agencies, and major brands have all been targets of cloned sites and spoofed communications, often enhanced by AI to appear more convincing. It highlights that scammers may blend IC3 impersonation with other fraud patterns, such as bogus refund or recovery services, “phantom hacker” style tech‑support narratives, or messages claiming to fix account compromises, all framed as official FBI assistance. 

The FBI has issued guidelines to safeguard Americans from phishing campaign. The real IC3 does not charge fees, will never ask for payment or direct victims to third‑party companies to recover funds, and does not operate any official presence on social media. Genuine IC3 reporting should be done only through the official ic3.gov domain, accessed by typing the URL directly into the browser or using trusted bookmarks, rather than clicking on links in unsolicited messages or search ads. 

Additionally, to mitigate risk the FBI recommends treating any unexpected communication claiming to be from the FBI or IC3 with skepticism, independently verify contact details through official channels, and avoid sharing sensitive information or making payments based on pressure tactics. It closes by urging individuals and organizations to train staff on recognizing impersonation scams, double‑check domains and email addresses, and promptly report suspected fake FBI or IC3 activity using confirmed, legitimate FBI contact points.
Read more »
Social Engineering
Cyber Fraud Phishing Campaign RMM Tools Social Engineering

Hackers Weaponize Trusted IT Tools for Full System Control

 

Malicious actors are weaponizing legitimate Remote Monitoring and Management (RMM) tools, turning trusted IT software into a means for unauthorized system access. This strategy represents a significant shift from traditional malware attacks, as it exploits programs like LogMeIn Resolve (formerly GoToResolve) and PDQ Connect to gain full remote control over a victim's computer, bypassing many conventional security measures because the software itself is not inherently malicious.

Modus operandi 

The core of this attack methodology lies in social engineering, where attackers trick individuals into installing these legitimate RMM applications under false pretenses. Security researchers have noted a significant increase in telemetry for detections labeled RiskWare.MisusedLegit.GoToResolve, indicating a rise in this type of threat. The attackers employ various deceptive tactics, including using misleading filenames for the installers.

One common method involves sending phishing emails that appear legitimate. For instance, an email sent to a user in Portugal contained a link that, when hovered over, pointed to a file hosted on Dropbox. By using a legitimate file-hosting service like Dropbox and a trusted RMM tool, attackers increase the likelihood of bypassing security software that might otherwise flag suspicious links or attachments .

In other cases, attackers set up fraudulent websites that perfectly mimic the download pages of popular free utilities like Notepad++ and 7-Zip, tricking users into downloading the malicious RMM installer instead of the software they were seeking.

When a victim clicks the malicious link, it delivers an RMM installer that has been pre-configured with the attacker’s unique "CompanyId." This hardcoded identifier automatically links the victim's machine directly to the attacker’s control panel.

This setup allows the attacker to instantly spot and connect to the newly compromised system without the need for stolen credentials or the deployment of additional malware . Because RMM tools are designed to run with administrative privileges, and their network traffic is often allowed by firewalls and other security solutions, the malicious remote access blends in with normal IT administrative traffic, making it extremely difficult to detect.

Mitigation tips

To defend against this evolving threat, it is crucial to be vigilant about the source of all software downloads .

  • Download carefully: Always download software directly from the official developer's website or verified sources.
  • Verify before installing: Check file signatures and certificates before running any installer to ensure they are from a trusted publisher.
  • Question unexpected prompts: If you receive an unexpected prompt to update software, verify the notification through a separate, trusted channel, such as by visiting the official website directly .
  • Stay updated: Keep your operating system and all installed software up to date with the latest security patches.
  • Recognize social engineering: Learn to identify the deceptive tricks attackers use to push malicious downloads .
Read more »
Subscribe to: Comments (Atom)