ctipilot.ch — Financehttps://ctipilot.ch/Items affecting financial services, banks, insurance, fintech.enSun, 10 May 2026 19:33:31 +0000ClickFix campaign expands to macOS — Macsync, Shub Stealer and AMOS delivered via Base64 Terminal commands that bypass Gatekeeperhttps://ctipilot.ch/briefs/2026-05-10/clickfix-campaign-expands-to-macos-macsync-shub-stealer-and-amos-delivered-via-b/https://ctipilot.ch/briefs/2026-05-10/clickfix-campaign-expands-to-macos-macsync-shub-stealer-and-amos-delivered-via-b/Sun, 10 May 2026 19:33:31 +00002026-05-10T19:33:31+00:00phishinginfostealerglobalMicrosoft Threat Intelligence on 2026-05-06 documented an active ClickFix social-engineering campaign now targeting macOS users via fake utility-installation guides hosted on Medium, Squarespace, and Craft-built blogs (Microsoft Security Blog, 2026-05-06 · Malwarebytes — Shub Stealer earlier wave, 2026-03). The lure pages instruct the visitor to copy a Base64-encoded command into Terminal; the decoded one-liner pipes a remote shell payload directly to bash, bypassing Gatekeeper because no signed application bundle is ever launched. Three distinct infostealers — Macsync, Shub Stealer, and AMOS (Atomic macOS Stealer) — are delivered across campaign variants per Microsoft, harvesting macOS Keychain entries, browser-profile credentials, iCloud data, and cryptocurrency wallet keys (Trezor, Ledger, Exodus, Electrum, Atomic, Coinomi, MetaMask, Phantom). Some variants substitute backdoored DMG copies of legitimate wallet applications (Ledger Live, Trezor Suite). Persistence uses LaunchAgent / LaunchDaemon plists with Telegram-fallback C2.

]]>Microsoft Threat Intelligence on 2026-05-06 documented an active ClickFix social-engineering campaign now targeting macOS users via fake utility-installation guides hosted on Medium, Squarespace, and Craft-built blogs (Microsoft Security Blog, 2026-05-06 · Malwarebytes — Shub Stealer earlier wave, 2026-03). The lure pages instruct the visitor to copy a Base64-encoded command into Terminal; the decoded one-liner pipes a remote shell payload directly to bash, bypassing Gatekeeper because no signed application bundle is ever launched. Three distinct infostealers — Macsync, Shub Stealer, and AMOS (Atomic macOS Stealer) — are delivered across campaign variants per Microsoft, harvesting macOS Keychain entries, browser-profile credentials, iCloud data, and cryptocurrency wallet keys (Trezor, Ledger, Exodus, Electrum, Atomic, Coinomi, MetaMask, Phantom). Some variants substitute backdoored DMG copies of legitimate wallet applications (Ledger Live, Trezor Suite). Persistence uses LaunchAgent / LaunchDaemon plists with Telegram-fallback C2.

ATT&CK mapping: T1204.002 User Execution: Malicious File, T1059.004 Unix Shell, T1555.001 Credentials from Password Stores: Keychain. Detection concepts: alert on Terminal spawning curl / wget immediately followed by pipe-to-shell execution from a non-developer profile; LaunchAgent file-creation events from outside /Applications or /Library/Application Support/<vendor> paths; anomalous Keychain API calls from processes without UI entitlements (Endpoint Security framework ES_EVENT_TYPE_NOTIFY_OPENSSH-style hooks expose this on EDR-instrumented Macs).

]]>German court finds bank liable for sophisticated phishing loss — PSD2/IP-analytics obligations clarifiedhttps://ctipilot.ch/briefs/2026-05-09/german-court-finds-bank-liable-for-sophisticated-phishing-loss-psd2-ip-analytics/https://ctipilot.ch/briefs/2026-05-09/german-court-finds-bank-liable-for-sophisticated-phishing-loss-psd2-ip-analytics/Sun, 10 May 2026 19:33:31 +00002026-05-10T19:33:31+00:00phishingidentitylaw-enforcementeuropedachOn 2026-04-22 the Landgericht Berlin II (Civil Chamber 38, case 38 O 293/25; not yet final pending appeal) ordered Deutsche Apotheker- und Ärztebank (Apobank) to reimburse €218,000+ in losses from a sophisticated phishing attack that combined forged physical bank letters, manipulated online banking interfaces, and spoofed-number phone calls (heise online, 2026-05-08 · ilex Rechtsanwälte — case summary, 2026-05). The court rejected gross-negligence defences, finding the fraud was too sophisticated to attribute to customer failure. Critically, the ruling found the bank's fraud-detection systems failed to act on a clear anomaly visible in bank-side logs: the new device registration and first login originated from materially different IP addresses and ISPs. The court treated this as an obligation under Germany's PSD2 implementation — specifically, a duty to apply IP-based behavioural analytics and trigger a strong-customer-authentication challenge when registration and first-use IPs diverge. For EU/Swiss financial-sector and public-sector digital-service providers: this reinforces the trend of courts placing authentication-failure liability on service providers when fraud signals are present in server-side telemetry but not acted on.

]]>On 2026-04-22 the Landgericht Berlin II (Civil Chamber 38, case 38 O 293/25; not yet final pending appeal) ordered Deutsche Apotheker- und Ärztebank (Apobank) to reimburse €218,000+ in losses from a sophisticated phishing attack that combined forged physical bank letters, manipulated online banking interfaces, and spoofed-number phone calls (heise online, 2026-05-08 · ilex Rechtsanwälte — case summary, 2026-05). The court rejected gross-negligence defences, finding the fraud was too sophisticated to attribute to customer failure. Critically, the ruling found the bank's fraud-detection systems failed to act on a clear anomaly visible in bank-side logs: the new device registration and first login originated from materially different IP addresses and ISPs. The court treated this as an obligation under Germany's PSD2 implementation — specifically, a duty to apply IP-based behavioural analytics and trigger a strong-customer-authentication challenge when registration and first-use IPs diverge. For EU/Swiss financial-sector and public-sector digital-service providers: this reinforces the trend of courts placing authentication-failure liability on service providers when fraud signals are present in server-side telemetry but not acted on.

]]>Swiss and DACH Deployment Contexthttps://ctipilot.ch/briefs/2026-05-09/swiss-and-dach-deployment-context/https://ctipilot.ch/briefs/2026-05-09/swiss-and-dach-deployment-context/Sun, 10 May 2026 19:33:31 +00002026-05-10T19:33:31+00:00vulnerabilitiespre-authrceauth-bypasspatch-availablezero-clickswitzerlanddachSEPPmail is the market-leader for cryptographic email processing in the Swiss public sector. The primary driver is cantonal administrative requirements under the Federal Act on Data Protection (nFADP/DSG, effective 1 September 2023) and cantonal healthcare data legislation mandating encrypted transmission of personal health information. NCSC-CH advisory 12551 was published in response to this cluster; any Swiss federal body, cantonal administration, or healthcare provider running SEPPmail should treat this as a mandatory same-day response event. The Swiss Federal Chancellery's ICT security baseline for federal agencies (Sicherheitsstandard IKT des Bundes, ISBB) classifies email gateway compromise as a Level 3 incident requiring escalation to NCSC-CH within 24 hours.

]]>SEPPmail is the market-leader for cryptographic email processing in the Swiss public sector. The primary driver is cantonal administrative requirements under the Federal Act on Data Protection (nFADP/DSG, effective 1 September 2023) and cantonal healthcare data legislation mandating encrypted transmission of personal health information. NCSC-CH advisory 12551 was published in response to this cluster; any Swiss federal body, cantonal administration, or healthcare provider running SEPPmail should treat this as a mandatory same-day response event. The Swiss Federal Chancellery's ICT security baseline for federal agencies (Sicherheitsstandard IKT des Bundes, ISBB) classifies email gateway compromise as a Level 3 incident requiring escalation to NCSC-CH within 24 hours.

For DACH-region organisations: BSI IT-Grundschutz includes email encryption gateways in the APP.4.4 component scope; a known RCE cluster in such a gateway qualifies for an extraordinary IT-Grundschutz gap notification under ISMS procedures.

]]>