Tag: phishing
All items tagged phishing.
- eBanking phishing hides its landing-page address in IPv4-mapped IPv6 notation to slip past URL scanners `[SINGLE-SOURCE]`
- Research: ClickFix matured into a productised malware-as-a-service supply chain
- NCSC-CH — fake Swiss Post "Avis de passage" QR-code phishing in French-speaking Switzerland
- Operation Endgame expands to SocGholish/TA569 — 106 C2 servers down, FakeUpdates loader stripped from 14,971 WordPress sites
- Sophos X-Ops: underground AI adoption is cautious but concrete — LLM-assisted packers, LLM C2 orchestration, NLP-triaged leak markets [SINGLE-SOURCE]
- ScarCruft (APT37) delivers NarwhalRAT behind fake Microsoft OTP "security alert" lures
- Crypto clipboard-hijacker campaign weaponises VirusTotal community reputation to suppress detection
- Sekoia: ErrTraffic — a ClickFix Malware-as-a-Service framework resolving C2 through the Polygon blockchain
- Huntress: Potemkin loader delivers RMMProject RAT and bypasses Chromium App-Bound Encryption
- iRhythm discloses data theft via social engineering of a third-party-hosted application (SEC 8-K) [SINGLE-SOURCE]
- UPDATE: Novo Nordisk clarifies stolen-data scope — non-pseudonymised HCP data in play
- UPDATE: FBI "Operation Ghost Hook" seizes the Outsider PhaaS infrastructure Google had sued
- Public administration — the week's centre of gravity
- Novo Nordisk discloses theft of clinical-trial and healthcare-professional data
- "Agentjacking": Tenet Security hijacks AI coding agents via forged Sentry error events
- Google sues China-based "Outsider" PhaaS network for weaponising Gemini to mass-produce phishing pages
- Imperva and Varonis: indirect prompt injection and "agent phishing" against the OpenClaw AI agent — fixed in v2026.4.23, but the attack class generalises
- "Ghost-Sender": Exchange Online accepts spoofed inbound mail bypassing SPF/DKIM/DMARC when a third-party MX fronts the tenant — no vendor patch
- NCSC-CH Week 23: coordinated surge in job-seeker targeting — fake interviews, reshipping identity theft, and LinkedIn-to-GitHub infostealer delivery
- Red Canary: Microsoft Entra Agent ID abuse — OBO OAuth flow turns a compromised AI agent into a delegated phishing sender [SINGLE-SOURCE]
- Check Point: a TDS-gated ecosystem impersonates security tools (Ghidra, dnSpy, ILSpy) to deliver SessionGate, RemusStealer and a clipboard hijacker [SINGLE-SOURCE]
- Oxford University CareerConnect (Group GTI) breach exposes students at multiple UK universities
- Meta files contempt complaint against NSO Group over fresh WhatsApp spyware phishing
- Unit 42: Microsoft Teams external-chat now a primary phishing surface for APT29 and UNC6692
- Microsoft Threat Intelligence: AI-brand impersonation drives Lumma Stealer and Vidar delivery via signed binaries
- FIFA World Cup 2026 pre-event threat cluster: Android banking trojans in pirated streaming apps, plus a 13,000-domain fraud layer, ahead of the 11 June kick-off
- Luna Moth / UNC3753: vishing-to-physical-USB data-theft extortion reaches ~$20 M suppression payment and DNS fast-flux C2
- Booking.com WhatsApp phishing + upstream hotel SaaS breach: real reservation data weaponised, 100+ properties affected, Dutch DPA opens investigation
- TA4922 — China-nexus cybercrime cluster expands from Japan into Germany, UK and Italy with native-language lures and Atlas RAT
- Hijacked polyfill[.]io domain reactivates, surfacing native browser credential prompts on sites that never removed legacy script tags
- SANS ISC: WeTransfer-delivered JavaScript stages a steganographic image loader ("Evil MSI background") on Cloudflare Workers and R2 `[SINGLE-SOURCE]`
- Proofpoint TA4922: a China-nexus cybercrime cluster expands from Japan into Germany, the UK and Italy with native-language lures and DLL-side-loaded Atlas RAT
- Unit 42 Operation FlutterBridge: notarized macOS backdoor hides its logic in a remote WebView and exfiltrates documents through an "AI summarise" feature
- NCSC Switzerland: Booking.com breach feeds two-pronged WhatsApp hotel-booking phishing against Swiss travellers
- Shared booking-software breach exposes guests at 100+ Dutch, Belgian and Irish hotels; phishing wave already underway
- DesckVB RAT malspam launders through Google DoubleClick and blinds AMSI/ETW, with German-language lures aimed at DACH [SINGLE-SOURCE]
- Dashlane discloses TOTP brute-force that downloaded encrypted vaults of fewer than 20 users
- SANS ISC: SVG phishing wave abuses a non-standard MIME type to slip past WAF/email pattern-matching [SINGLE-SOURCE]
- Operation XENOFISCAL: SideCopy (APT36) hits provincial treasury officials with XenoRAT via an mshta/HTA chain
- Spain arrests doxer who published personal data on INCIBE, prosecutorial and security-service staff
- Attackers social-engineer Meta's AI support chatbot into resetting Instagram passwords
- GoDaddy documents WordPress malware using Steam profile comments as a Unicode-steganography C2 resolver
- SmartApeSG ClickFix stages an unnamed RAT that pivots to a weaponised NetSupport Manager [SINGLE-SOURCE]
- "Signal Support" impersonation phishing harvests cloud-backup recovery keys from high-value users
- Ghost Stadium PhaaS — 300+ FIFA domain clones, multi-language fake SSO, targeting UK/Germany/Portugal/Spain fan credentials before June 11 kickoff
- GREYVIBE — newly documented Russia-nexus cluster deploys five parallel attack chains against Ukraine with AI-generated lures and two PowerShell RATs
- LLMShare malvertising campaign: attackers embed fake outage pages in ChatGPT share links and serve infostealer downloads via Google Ads
- Kimsuky (Velvet Chollima) deploys HTTPSpy RAT and Rust-based HelloDoor via VS Code Remote Tunnel and Cloudflare Quick Tunnel C2
- ChatGPhish: Permiso Security documents ChatGPT Markdown renderer trusting third-party image URLs and links — used for IP exfiltration and phishing via legitimate chatgpt.com
- WatchGuard documents Grandoreiro's Delphi-DLL-side-loading + WebSocket/STUN C2 against Portuguese & Spanish banks; ESET maps parallel Android BTMOB MaaS
- FBI FLASH CSA 260526 — Silent Ransom Group sends operatives physically into US law-firm offices to insert USB exfiltration devices when remote social engineering fails
- Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO-poisoning lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners under signed Microsoft binary
- UPDATE: ShinyHunters Salesforce campaign — Charter and 7-Eleven both confirm; 7-Eleven count put at ~185,000 affected
- ACR Stealer distributed through counterfeit Claude AI download pages promoted by malicious search ads [SINGLE-SOURCE]
- Google's threat-intel group maps a Chinese-language PhaaS ecosystem doing real-time OTP relay over RCS/iMessage [SINGLE-SOURCE]
- Large-scale ClickFix campaign mass-compromises self-hosted Ghost CMS sites via CVE-2026-26980
- CVE-2026-26980 — Ghost CMS unauthenticated blind SQL injection, mass-exploited into a ClickFix infostealer chain
- ShinyHunters Salesforce-credential extortion — three named victims confirmed across the week, capped by Carnival's 5.99M-record disclosure
- AI tooling as lure, attack surface and force-multiplier — the cross-day pattern no single daily framed whole
- Finance — Iberian retail-banking pressure from Grandoreiro plus a parallel Android MaaS
- UNC6671 / BlackFile — GTIG publishes the full profile; group announced shutdown "under this name", rebrand probable
- GREYVIBE — independent corroboration; OPSEC slips enabled attribution; charity-front sub-campaign
- FBI PSA260521 — Kali365 OAuth device-code PhaaS bypasses M365 MFA without credential capture
- UPDATE: Ghostwriter / UAC-0057 / FrostyNeighbor — CERT-UA documents new OYSTERFRESH → OYSTERBLUES → OYSTERSHUCK implant chain via Prometheus learning-platform lures
- B1ack's Stash carding marketplace publicly releases 4.6M card records — SOCRadar attributes collection to e-skimming and phishing; not confirmed by issuing banks
- INTERPOL Operation Ramz — 13-country MENA cybercrime sweep: 201 arrests, 53 servers seized, Algerian PhaaS server takedown
- GTIG: UNC6671 "BlackFile" vishing → AiTM → rogue-MFA → programmatic SharePoint exfiltration of 1M+ files per victim; DLS shutdown signals probable rebrand [SINGLE-SOURCE]
- TrickMo "TrickMo C" — Android banking trojan migrates C2 to The Open Network blockchain, adds SOCKS5 / SSH device-as-pivot
- DigiCert support portal compromise — Salesforce-based support-chat social engineering yielded 60 fraudulent EV code-signing certificates
- German LG Berlin II ruling — Apobank liable for €218,000+ phishing loss; PSD2 IP-analytics obligation clarified
- MuddyWater (Iran / MOIS) Chaos ransomware false-flag + Teams BEC
- German LG Berlin II — Apobank ruling sets PSD2 IP-analytics obligation as case law
- [SINGLE-SOURCE-OTHER] SMS-blaster smishing establishing itself in Switzerland — portable IMSI-catchers force 2G downgrade, bypass operator SMS filtering
- Brief mobile-device-policy owners on SMS-blaster smishing in CH
- Sophos: "Beagle" backdoor distributed via fake Claude AI site using DonutLoader + DLL sideloading on a signed G DATA AV updater
- ClickFix campaign expands to macOS — Macsync, Shub Stealer and AMOS delivered via Base64 Terminal commands that bypass Gatekeeper
- Detect ClickFix-style Terminal-paste social engineering on macOS endpoints
- German court finds bank liable for sophisticated phishing loss — PSD2/IP-analytics obligations clarified
- MuddyWater (Iran/MOIS) deploys Chaos ransomware as false flag; harvests credentials via Teams
- Amazon SES weaponised for authenticated phishing and BEC (Kaspersky, 2026-05-04, ~96 h)