Authentication and Phishing - Cyber Security Informer

Chinese Innovations Spawn Wave of Toll Phishing Via SMS

Krebs on Security

JANUARY 16, 2025

Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to set up convincing lures spoofing toll road operators in multiple U.S. Reports of similar SMS phishing attacks against customers of other U.S. This is by no means a comprehensive list.

Phishing

Phishing Scams Mobile Passwords

A Day in the Life of a Prolific Voice Phishing Crew

Krebs on Security

JANUARY 7, 2025

Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. million in an elaborate voice phishing attack. The phishing domain used to steal roughly $4.7 Image: Shutterstock, iHaMoo. “ Annie.”

Phishing

Phishing Cryptocurrency Accountability Social Engineering

Device Code Phishing

Schneier on Security

FEBRUARY 19, 2025

This isn’t new, but it’s increasingly popular : The technique is known as device code phishing. It exploits “device code flow,” a form of authentication formalized in the industry-wide OAuth standard.

Phishing

Phishing Authentication Accountability Passwords

Webinars

How to Avoid Pitfalls In Automation: Keep Humans In the Loop

MORE WEBINARS

Defeating Phishing-Resistant Multifactor Authentication

Schneier on Security

NOVEMBER 9, 2022

CISA is now pushing phishing-resistant multifactor authentication. Roger Grimes has an excellent post reminding everyone that “phishing-resistant” is not “phishing proof,” and that everyone needs to stop pretending otherwise. His list of different attacks is particularly useful.

Authentication

Authentication Phishing

FBI, Dutch Police Disrupt ‘Manipulaters’ Phishing Gang

Krebs on Security

JANUARY 31, 2025

Department of Justice refers to the cybercrime group as Saim Raza , after a pseudonym The Manipulaters communally used to promote their spam, malware and phishing services on social media. ” Manipulaters advertisement for Office 365 Private Page with Antibot phishing kit sold via Heartsender. Image: DomainTools. ” U.S.

Phishing

Phishing Cybercrime Advertising Malware

Man-in-the-Middle Phishing Attack

Schneier on Security

AUGUST 25, 2022

Here’s a phishing campaign that uses a man-in-the-middle attack to defeat multi-factor authentication: Microsoft observed a campaign that inserted an attacker-controlled proxy site between the account users and the work server they attempted to log into.

Phishing

Phishing Authentication Passwords Accountability

Booking.com Phishers May Leave You With Reservations

Krebs on Security

NOVEMBER 1, 2024

This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. KrebsOnSecurity last week heard from a reader whose close friend received a targeted phishing message within the Booking mobile app just minutes after making a reservation at a California.

Phishing

Phishing Accountability Artificial Intelligence Cybercrime

Crooks bank on Microsoft’s search engine to phish customers

Malwarebytes

NOVEMBER 4, 2024

We identified a new wave of phishing for banking credentials that targets consumers via Microsoft’s search engine. One particularly interesting detail is how a phishing website created barely two weeks ago is already indexed and displayed before the official one. We have reported the fraudulent sites to Microsoft already.

Engineering

Engineering Phishing Banking Authentication

Phishing evolves beyond email to become latest Android app threat

Malwarebytes

FEBRUARY 11, 2025

There are plenty of phish in the sea, and the latest ones have little interest in your email inbox. In 2024, Malwarebytes detected more than 22,800 phishing apps on Android, according to the recent 2025 State of Malware report. These Android phishing apps may sound high-tech, but they are not.

Phishing

Phishing Passwords Mobile Authentication

AI-Powered Phishing: Defending Against New Browser-Based Attacks

SecureWorld News

JANUARY 22, 2025

The cybersecurity landscape has witnessed a dramatic shift with the rise of AI-powered phishing attacks. The evolution of AI-enhanced phishing Today's phishing attempts are far more sophisticated than ever before. AI-powered phishing campaigns can now adapt in real-time, learning from user interactions to refine their approach.

Phishing

Phishing Threat Detection Social Engineering DNS

Operation Heart Blocker: International Police Disrupt Phishing Network

SecureWorld News

FEBRUARY 3, 2025

and Dutch law enforcement agencies have dismantled 39 domains and their associated servers in an effort to disrupt a Pakistan-based network of online marketplaces selling phishing and fraud-enabling tools. Organizations should enforce least privilege access and enable multi-factor authentication (MFA) on all accounts that have it available.

Phishing

Phishing Cybercrime Scams Authentication

Phishing-as-a-Service Rockstar 2FA continues to be prevalent

Security Affairs

NOVEMBER 29, 2024

Phishing tool Rockstar 2FA targets Microsoft 365 credentials, it uses adversary-in-the-middle (AitM) attacks to bypass multi-factor authentication. Trustwave researchers are monitoring malicious activity associated with Phishing-as-a-Service (PaaS) platforms, their latest report focuses on a toolkit called Rockstar 2FA.

Phishing

Phishing Accountability Authentication Advertising

Storm-2372 used the device code phishing technique since August 2024

Security Affairs

FEBRUARY 16, 2025

Russia-linked group Storm-2372 used the device code phishing technique since Aug 2024 to steal login tokens from governments, NGOs, and industries. ” Device code phishing attacks exploit authentication flows to steal tokens, granting attackers access to accounts and data. ” continues the report.

Phishing

Phishing Authentication Telecommunications Accountability

Feds Charge Five Men in ‘Scattered Spider’ Roundup

Krebs on Security

NOVEMBER 21, 2024

A visual depiction of the attacks by the SMS phishing group known as Scattered Spider, and Oktapus. The targeted SMS scams asked employees to click a link and log in at a website that mimicked their employer’s Okta authentication page. Image: Amitai Cohen twitter.com/amitaico. com and ouryahoo-okta[.]com. Click to enlarge.

Identity Theft

Identity Theft Phishing Cryptocurrency Accountability

Problems with Multifactor Authentication

Schneier on Security

OCTOBER 21, 2021

Roger Grimes on why multifactor authentication isn’t a panacea : The first time I heard of this issue was from a Midwest CEO. His organization had been hit by ransomware to the tune of $10M. Operationally, they were still recovering nearly a year later. And, embarrassingly, it was his most trusted VP who let the attackers in.

Authentication

Authentication Ransomware Social Engineering Engineering

U.S. Justice Department Cracks Down on Scattered Spider Phishing Ring

SecureWorld News

NOVEMBER 22, 2024

The United States Department of Justice (DOJ) has unsealed charges against five individuals accused of orchestrating sophisticated phishing campaigns tied to the notorious Scattered Spider cybercrime group. As this case shows, phishing and hacking has become increasingly sophisticated and can result in enormous losses.

Phishing

Phishing Identity Theft Cryptocurrency Cybercrime

How to Prevent Phishing Attacks with Multi-Factor Authentication

Tech Republic Security

JANUARY 25, 2024

Learn how to protect yourself and your sensitive information from phishing attacks by implementing multi-factor authentication.

Authentication

Authentication Phishing

Gmail Under Siege: FBI Warns of Unusual AI-Driven Phishing Attacks

eSecurity Planet

FEBRUARY 10, 2025

In a stark warning to organizations and everyday users alike, cybersecurity experts and government agencies have sounded the alarm over a new breed of Gmail-targeted phishing attacks. AI-Enhanced Cyberthreats Recent intelligence indicates that the sophistication of Gmail phishing campaigns has reached new heights.

Phishing

Phishing Artificial Intelligence Password Management Accountability

Arrest, Raids Tied to ‘U-Admin’ Phishing Kit

Krebs on Security

FEBRUARY 8, 2021

Cyber cops in Ukraine carried out an arrest and several raids last week in connection with the author of a U-Admin , a software package used to administer what’s being called “one of the world’s largest phishing services.” The U-Admin phishing panel interface. Image: fr3d.hk/blog. ” U-Admin, a.k.a.

Phishing

Phishing Scams Banking Mobile

Misconfigured AWS Accounts Are Fueling Phishing Campaigns

eSecurity Planet

MARCH 4, 2025

Cybersecurity researchers have uncovered a campaign where threat actors exploit misconfigured Amazon Web Services (AWS) environments to send phishing emails. How the attack works The JavaGhost group, active since 2019, initially focused on website defacements before shifting to financially motivated phishing attacks in 2022.

Phishing

Phishing Accountability Authentication Risk

68k Phishing Victims are Now Searchable in Have I Been Pwned, Courtesy of CERT Poland

Troy Hunt

AUGUST 30, 2023

They'd observed a phishing campaign that had collected 68k credentials from unsuspecting victims and asked if HIBP may be used to help alert these individuals to their exposure. Last week I was contacted by CERT Poland. Data accumulated by the malicious activity spanned from October 2022 until just last week.

Phishing

Phishing Password Management Passwords Banking

Phishing-as-a-Service Rockstar 2FA continues to be prevalent

Security Affairs

NOVEMBER 29, 2024

Phishing tool Rockstar 2FA targets Microsoft 365 credentials, it uses adversary-in-the-middle (AitM) attacks to bypass multi-factor authentication. Trustwave researchers are monitoring malicious activity associated with Phishing-as-a-Service (PaaS) platforms, their latest report focuses on a toolkit called Rockstar 2FA.

Phishing

Phishing Accountability Authentication Advertising

How AI was used in an advanced phishing campaign targeting Gmail users

Malwarebytes

FEBRUARY 13, 2025

Phishers are using AI-based phishing attacks which have proven to raise the effectiveness of phishing campaigns. Around the same time, users receive legitimate looking emails from what appears to be an authentic Google domain to add credibility to what the caller is claiming to have happened.

Phishing

Phishing Artificial Intelligence Identity Theft Accountability

Fake Booking.com phish uses fake CAPTCHAs to trick hotel staff into downloading malware

Malwarebytes

MARCH 26, 2025

A new phishing campaign that uses the fake CAPTCHA websites we reported about recently is targeting hotel staff in a likely attempt to access customer data, according to research from ThreatDown. Enable two-factor authentication (2FA). Some forms of two-factor authentication (2FA) can be phished just as easily as a password.

Phishing

Phishing Malware Passwords Password Management

Phish of GoDaddy Employee Jeopardized Escrow.com, Among Others

Krebs on Security

MARCH 31, 2020

A spear-phishing attack this week hooked a customer service employee at GoDaddy.com , the world’s largest domain name registrar, KrebsOnSecurity has learned. 49 (that domain is hobbled here because it is currently flagged as hosting a phishing site). It was starting to look like someone had gotten phished.

Phishing

Phishing DNS Social Engineering Accountability

Mishing Is the New Phishing — And It’s More Dangerous

eSecurity Planet

FEBRUARY 26, 2025

Cybercriminals are shifting their focus from emails to text messages, using mishing a more deceptive form of phishing to target mobile users and infiltrate corporate networks, according to new security research by Zimperium. Vishing: Also known as voice phishing. What is mishing? and 9%in Brazil.

Phishing

Phishing Mobile Social Engineering Data breaches

Vulnerability Recap 10/28/24 – Phishing, DoS, RCE & a Zero-Day

eSecurity Planet

OCTOBER 28, 2024

We’ll also look at increased phishing attacks, a couple of different Cisco flaws, and a Fortinet vulnerability that took some time to get its own CVE. The attacker must be authenticated and have Site Owner permissions to conduct the attack, but with those, they could inject and execute arbitrary code in SharePoint Server contexts.

Phishing

Phishing Authentication Software VPN

Thanks FedEx, This is Why we Keep Getting Phished

Troy Hunt

FEBRUARY 23, 2024

I've been getting a lot of those "your parcel couldn't be delivered" phishing attacks lately and if you're a human with a phone, you probably have been too. And so, when I received the following SMS earlier this week I was expecting a parcel and I was expecting phishing attacks: So. Parcel or phish?

Phishing

Phishing Scams Banking Social Engineering

Not All MFA is Equal, and the Differences Matter a Lot

Daniel Miessler

MARCH 10, 2022

People are starting to get the fact that texts (SMS) are a weak form of multi-factor authentication (MFA). The answer is remarkably simple, actually— phishing. This means traditional MFA is becoming increasingly useless against phishing in the real world. It completely changes how authentication is done.

Authentication

Authentication Phishing Passwords Accountability

Tax deadline threat: QuickBooks phishing scam exploits Google Ads

Malwarebytes

APRIL 8, 2025

Brand impersonation: from Google ad to phishing page Accounting and tax preparation software has traditionally been a common lure for scammers, particularly those related to online support operating out of large call centres in India and surrounding areas.

Phishing

Phishing Scams Accountability Passwords

GUEST ESSAY: Why it’s high time for us to rely primarily on passwordless authentication

The Last Watchdog

JULY 24, 2023

Today, bad actors are ruthlessly skilled at cracking passwords – whether through phishing attacks, social engineering, brute force, or buying them on the dark web. In fact, according to Verizon’s most recent data breach report, approximately 80 percent of all breaches are caused by phishing and stolen credentials.

Authentication

Authentication Passwords Phishing Social Engineering

GUEST ESSAY: Advanced tools, tactics required to defend latest attack variant — ‘DeepSea phishing’

The Last Watchdog

JULY 14, 2022

Phishing itself is not a new or a particularly complicated threat. But the emergence of advanced phishing techniques – “DeepSea Phishing” – poses an entirely new challenge for enterprises. The financial impact of phishing attacks quadrupled over the past six years, with the average cost for U.S. companies rising to $14.8

Phishing

Phishing Education Cybersecurity Threat Detection

‘The Manipulaters’ Improve Phishing, Still Fail at Opsec

Krebs on Security

APRIL 3, 2024

Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called “ The Manipulaters ,” a sprawling web hosting network of phishing and spam delivery platforms. Manipulaters advertisement for “Office 365 Private Page with Antibot” phishing kit sold on the domain heartsender,com.

Phishing

Phishing Cybercrime Malware Advertising

Phishing Campaign Impersonates Booking.com, Plants Malware

eSecurity Planet

MARCH 14, 2025

A recent phishing campaign has raised alarms among cybersecurity professionals after it impersonated Booking.com to deliver a suite of credential-stealing malware. The phishing messages include links or attachments that direct users to fake Booking.com pages.

Phishing

Phishing Malware Social Engineering Authentication

Karma Catches Up to Global Phishing Service 16Shop

Krebs on Security

AUGUST 17, 2023

You’ve probably never heard of “ 16Shop ,” but there’s a good chance someone using it has tried to phish you. A 16Shop phishing page spoofing Apple and targeting Japanese users. Image: Akamai.com. The INTERPOL statement says the platform sold hacking tools to compromise more than 70,000 users in 43 countries.

Phishing

Phishing Passwords Internet Internet

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

Malwarebytes

JANUARY 15, 2025

Table of contents Overview Criminals impersonate Google Ads Lures hosted on Google Sites Phishing for Google account credentials Victimology Who is behind these campaigns? Figure 12: The actual phishing page that follows Finally, all the data is combined with the username and password and sent to the remote server via a POST request.

Advertising

Advertising Accountability Phishing Scams

Level Up Your Security: Embrace Passkeys and Phishing-Resistant 2FA

Thales Cloud Protection & Licensing

JANUARY 31, 2025

Level Up Your Security: Embrace Passkeys and Phishing-Resistant 2FA andrew.gertz@t Fri, 01/31/2025 - 15:17 Celebrate Change Your Password Day and 2FA Day by embracing passkeys and phishing-resistant 2FA. Learn why these modern security practices are essential for safer, stronger authentication. Passwordless authentication.

Phishing

Phishing Passwords Password Management Authentication

20 Million OpenAI accounts offered for sale

Malwarebytes

FEBRUARY 7, 2025

The statement suggests that the cybercriminal found access codes which could be used to bypass the platform’s authentication systems. It seems unlikely that such a large amount of credentials could be harvested in phishing operations against users, so if the claim is true, emirking may have found a way to compromise the auth0.openai.com

Accountability

Accountability Phishing Passwords Authentication

USDA Pioneers Phishing-Resistant MFA with Fast IDentity Online (FIDO)

Penetration Testing

NOVEMBER 22, 2024

Department of Agriculture’s (USDA) successful implementation of phishing-resistant multi-factor authentication (MFA) using Fast IDentity Online... The post USDA Pioneers Phishing-Resistant MFA with Fast IDentity Online (FIDO) appeared first on Cybersecurity News.

Phishing

Phishing Authentication Cybersecurity

How 1-Time Passcodes Became a Corporate Liability

Krebs on Security

AUGUST 30, 2022

A recent spate of SMS phishing attacks from one cybercriminal group has spawned a flurry of breach disclosures from affected companies, which are all struggling to combat the same lingering security threat: The ability of scammers to interact directly with employees through their mobile devices.

Mobile

Mobile Phishing Authentication Accountability

How Coinbase Phishers Steal One-Time Passwords

Krebs on Security

OCTOBER 13, 2021

A recent phishing campaign targeting Coinbase users shows thieves are getting cleverer about phishing one-time passwords (OTPs) needed to complete the login process. A Google-translated version of the now-defunct Coinbase phishing site, coinbase.com.password-reset[.]com. The Coinbase phishing panel. million Italians.

Passwords

Passwords Phishing Accountability Mobile

Voice Phishers Targeting Corporate VPNs

Krebs on Security

AUGUST 19, 2020

The COVID-19 epidemic has brought a wave of email phishing attacks that try to trick work-at-home employees into giving away credentials needed to remotely access their employers’ networks. The employee phishing page bofaticket[.]com. Image: urlscan.io.

Phishing

Phishing VPN Social Engineering Media

When Low-Tech Hacks Cause High-Impact Breaches

Krebs on Security

FEBRUARY 26, 2023

But it’s worth revisiting how this group typically got in to targeted companies: By calling employees and tricking them into navigating to a phishing website. But we do know the March 2020 attack was precipitated by a spear-phishing attack against a GoDaddy employee. In a filing with the U.S.

Hacking

Hacking Social Engineering Phishing Scams

US Cities Warn of Surge in Unpaid Parking Phishing Text Scams

eSecurity Planet

MARCH 11, 2025

cities are alerting residents to a widespread phishing scam involving fraudulent text messages about unpaid parking violations. Phishing scam details The scam involves text messages that appear to be official notices from city parking authorities. Try to: Verify authenticity: Do not click on links in unsolicited messages.

Scams

Scams Phishing Consumer Protection Authentication

Chinese Innovations Spawn Wave of Toll Phishing Via SMS

A Day in the Life of a Prolific Voice Phishing Crew

Webinars

Trending Sources

Device Code Phishing

Webinars

Defeating Phishing-Resistant Multifactor Authentication

FBI, Dutch Police Disrupt ‘Manipulaters’ Phishing Gang

Man-in-the-Middle Phishing Attack

Booking.com Phishers May Leave You With Reservations

Crooks bank on Microsoft’s search engine to phish customers

Phishing evolves beyond email to become latest Android app threat

AI-Powered Phishing: Defending Against New Browser-Based Attacks

Operation Heart Blocker: International Police Disrupt Phishing Network

Phishing-as-a-Service Rockstar 2FA continues to be prevalent

Storm-2372 used the device code phishing technique since August 2024

Feds Charge Five Men in ‘Scattered Spider’ Roundup

Problems with Multifactor Authentication

U.S. Justice Department Cracks Down on Scattered Spider Phishing Ring

How to Prevent Phishing Attacks with Multi-Factor Authentication

Gmail Under Siege: FBI Warns of Unusual AI-Driven Phishing Attacks

Arrest, Raids Tied to ‘U-Admin’ Phishing Kit

Misconfigured AWS Accounts Are Fueling Phishing Campaigns

68k Phishing Victims are Now Searchable in Have I Been Pwned, Courtesy of CERT Poland

Phishing-as-a-Service Rockstar 2FA continues to be prevalent

How AI was used in an advanced phishing campaign targeting Gmail users

Fake Booking.com phish uses fake CAPTCHAs to trick hotel staff into downloading malware

Phish of GoDaddy Employee Jeopardized Escrow.com, Among Others

Mishing Is the New Phishing — And It’s More Dangerous

Vulnerability Recap 10/28/24 – Phishing, DoS, RCE & a Zero-Day

Thanks FedEx, This is Why we Keep Getting Phished

Not All MFA is Equal, and the Differences Matter a Lot

Tax deadline threat: QuickBooks phishing scam exploits Google Ads

GUEST ESSAY: Why it’s high time for us to rely primarily on passwordless authentication

GUEST ESSAY: Advanced tools, tactics required to defend latest attack variant — ‘DeepSea phishing’

‘The Manipulaters’ Improve Phishing, Still Fail at Opsec

Phishing Campaign Impersonates Booking.com, Plants Malware

Karma Catches Up to Global Phishing Service 16Shop

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

Level Up Your Security: Embrace Passkeys and Phishing-Resistant 2FA

20 Million OpenAI accounts offered for sale

USDA Pioneers Phishing-Resistant MFA with Fast IDentity Online (FIDO)

How 1-Time Passcodes Became a Corporate Liability

How Coinbase Phishers Steal One-Time Passwords

Voice Phishers Targeting Corporate VPNs

When Low-Tech Hacks Cause High-Impact Breaches

US Cities Warn of Surge in Unpaid Parking Phishing Text Scams

Stay Connected