Authentication and Web Fraud - Cyber Security Informer

Booking.com Phishers May Leave You With Reservations

Krebs on Security

NOVEMBER 1, 2024

Booking.com said it now requires 2FA , which forces partners to provide a one-time passcode from a mobile authentication app (Pulse) in addition to a username and password. .” The phony booking.com website generated by visiting the link in the text message. SecureWorks said these attacks had been going on since at least March 2023.

Phishing

Phishing Accountability Artificial Intelligence Cybercrime

A Day in the Life of a Prolific Voice Phishing Crew

Krebs on Security

JANUARY 7, 2025

Lookout researchers discovered multiple voice phishing groups were using a new phishing kit that closely mimicked the single sign-on pages for Okta and other authentication providers. Federal Communications Commission (FCC), as well as those working at the cryptocurrency exchanges Coinbase and Binance. “ Annie.”

Phishing

Phishing Cryptocurrency Accountability Social Engineering

Chinese Innovations Spawn Wave of Toll Phishing Via SMS

Krebs on Security

JANUARY 16, 2025

Those who fall for the scam are asked to provide payment card data, and eventually will be asked to supply a one-time password sent via SMS or a mobile authentication app. Reports of similar SMS phishing attacks against customers of other U.S. state-run toll facilities surfaced around the same time as the MassDOT alert.

Phishing

Phishing Scams Mobile Passwords

Webinars

How to Avoid Pitfalls In Automation: Keep Humans In the Loop

MORE WEBINARS

Crime Shop Sells Hacked Logins to Other Crime Shops

Krebs on Security

JANUARY 21, 2022

One example is Genesis Market , where customers can search for stolen credentials and authentication cookies from a broad range of popular online destinations. What’s more, relatively few cybercrime shops online offer their users any sort of multi-factor authentication.

Hacking

Hacking Cybercrime Passwords Authentication

FBI: Spike in Hacked Police Emails, Fake Subpoenas

Krebs on Security

NOVEMBER 9, 2024

.” Echoing the FBI’s warning, Donahue said far too many police departments in the United States and other countries have poor account security hygiene, and often do not enforce basic account security precautions — such as requiring phishing-resistant multifactor authentication.

Hacking

Hacking Accountability Government Social Engineering

Recycle Your Phone, Sure, But Maybe Not Your Number

Krebs on Security

MAY 19, 2021

The Princeton team further found 100 of those 259 numbers were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS-based multi-factor authentication. While you’re at it, consider removing your phone number as a primary or secondary authentication mechanism wherever possible.

Mobile

Mobile Wireless Accountability Authentication

The Rise of One-Time Password Interception Bots

Krebs on Security

SEPTEMBER 29, 2021

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. That is true two-factor authentication: Something you have, and something you know (and maybe also even something you are).

Passwords

Passwords Mobile Authentication Banking

Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services

Krebs on Security

JULY 26, 2024

Google says it recently fixed an authentication weakness that allowed crooks to circumvent the email verification required to create a Google Workspace account, and leverage that to impersonate a domain holder at third-party services that allow logins through Google’s “Sign in with Google” feature.

Accountability

Accountability Authentication Cryptocurrency Web Fraud

How 1-Time Passcodes Became a Corporate Liability

Krebs on Security

AUGUST 30, 2022

The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication. That’s down from 53 percent that did so in 2018, Okta found.

Mobile

Mobile Phishing Authentication Accountability

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

Krebs on Security

JUNE 15, 2024

.” In a SIM-swapping attack, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for authentication, or password reset links sent via SMS.

Hacking

Hacking Cybercrime Phishing Passwords

The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back

Krebs on Security

NOVEMBER 19, 2021

In reality, the fraudster initiates a transaction — such as the “forgot password” feature on the financial institution’s site — which is what generates the authentication passcode delivered to the member. To combat this scam Zelle introduced out-of-band authentication with transaction details.

Scams

Scams Banking Passwords Authentication

Gift Card Gang Extracts Cash From 100k Inboxes Daily

Krebs on Security

SEPTEMBER 2, 2021

Bill said this criminal group averages between five and ten million email authentication attempts daily, and comes away with anywhere from 50,000 to 100,000 of working inbox credentials. “For context, our research indicates that multi-factor authentication prevents more than 99.9%

Accountability

Accountability Authentication Passwords Hacking

When Low-Tech Hacks Cause High-Impact Breaches

Krebs on Security

FEBRUARY 26, 2023

Many companies now require employees to supply a one-time password — such as one sent via SMS or produced by a mobile authenticator app — in addition to their username and password when logging in to company assets online. The key works without the need for any special software drivers.

Hacking

Hacking Social Engineering Phishing Scams

Experian, You Have Some Explaining to Do

Krebs on Security

JULY 10, 2022

“I was able to answer the credit report questions successfully, which authenticated me to their system,” Turner said. That’s because Experian does not offer any type of multi-factor authentication options on consumer accounts. But now he’s wondering what else he could do to prevent another account compromise.

Accountability

Accountability Passwords Authentication Password Management

Malicious Office 365 Apps Are the Ultimate Insiders

Krebs on Security

MAY 5, 2021

After logging in, the user might see a prompt that looks something like this: These malicious apps allow attackers to bypass multi-factor authentication, because they are approved by the user after that user has already logged in. “It’s just easier, and it’s a good way to bypass multi-factor authentication.”

Accountability

Accountability Advertising Passwords Phishing

Local Networks Go Global When Domain Names Collide

Krebs on Security

AUGUST 23, 2024

The proliferation of new top-level domains (TLDs) has exacerbated a well-known security weakness: Many organizations set up their internal Microsoft authentication systems years ago using domain names in TLDs that didn’t exist at the time. ” Caturegli said setting up an email server record for memrtcc.ad

DNS

DNS Internet Internet Authentication

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

Krebs on Security

NOVEMBER 21, 2020

• Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to. authenticate the phone call before sensitive information can be discussed. Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.

Cryptocurrency

Cryptocurrency VPN Scams Social Engineering

Identity Thieves Bypassed Experian Security to View Credit Reports

Krebs on Security

JANUARY 9, 2023

Clearly, Experian found it simpler to respond this way, rather than acknowledging the problem and addressing the root causes (lazy authentication and abhorrent account recovery practices). It’s also worth mentioning that reports of hijacked Experian.com accounts persisted into late 2022.

Identity Theft

Identity Theft Accountability Authentication Web Fraud

How Coinbase Phishers Steal One-Time Passwords

Krebs on Security

OCTOBER 13, 2021

.” Last month, Coinbase disclosed that malicious hackers stole cryptocurrency from 6,000 customers after using a vulnerability to bypass the company’s SMS multi-factor authentication security feature.

Passwords

Passwords Phishing Accountability Mobile

Don’t Let Your Domain Name Become a “Sitting Duck”

Krebs on Security

JULY 31, 2024

More than a million domain names — including many registered by Fortune 100 firms and brand protection companies — are vulnerable to takeover by cybercriminals thanks to authentication weaknesses at a number of large web hosting providers and domain registrars, new research finds. Image: Shutterstock.

DNS

DNS Internet Internet Phishing

Arrest, Raids Tied to ‘U-Admin’ Phishing Kit

Krebs on Security

FEBRUARY 8, 2021

Perhaps the biggest selling point for U-Admin is a module that helps phishers intercept multi-factor authentication codes. Qbot) — to harvest one-time codes needed for multi-factor authentication. There are multiple recent reports that U-Admin has been used in conjunction with malware — particularly Qakbot (a.k.a.

Phishing

Phishing Scams Banking Mobile

How $100M in Jobless Claims Went to Inmates

Krebs on Security

FEBRUARY 25, 2021

Much of this fraud exploits weak authentication methods used by states that have long sought to verify applicants using static, widely available information such as Social Security numbers and birthdays. to shore up their authentication efforts, with six more states under contract to use the service in the coming months.

Scams

Scams Insurance DDOS Authentication

Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider

Krebs on Security

JANUARY 30, 2024

The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication. A booking photo of Noah Michael Urban released by the Volusia County Sheriff.

Social Engineering

Social Engineering Mobile Passwords Cybercrime

Disneyland Malware Team: It’s a Puny World After All

Krebs on Security

NOVEMBER 16, 2022

. “The reason that it is infeasible for them to use in-browser injects include browser and OS protection measures, and difficulties manipulating dynamic pages for banks that require multi-factor authentication,” Holden said.

Malware

Malware Banking Phishing DDOS

Tricky Phish Angles for Persistence, Not Passwords

Krebs on Security

JANUARY 7, 2020

Also, the resulting compromise is quite persistent and sidesteps two-factor authentication, and thus it seems likely we will see this approach exploited more frequently in the future. Still, this phishing tactic is worth highlighting because recent examples of it received relatively little press coverage.

Phishing

Phishing Passwords Accountability Authentication

Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks

Krebs on Security

JULY 15, 2024

” The researchers have published a comprehensive guide for locking down Squarespace user accounts, which urges Squarespace users to enable multi-factor authentication (disabled during the migration). .’ This is absolutely insane if you’re used to and expecting the controls Google provides.”

Accountability

Accountability Cryptocurrency Passwords DNS

‘Land Lordz’ Service Powers Airbnb Scams

Krebs on Security

APRIL 14, 2019

Airbnb could help by adding some type of robust multi-factor authentication, such as Security Keys — which would defeat these Airbnb phishing pages. According to twofactorauth.org , Airbnb currently does not support any type of multi-factor authentication that users can enable.

Scams

Scams Advertising Accountability Phishing

Would You Have Fallen for This Phone Scam?

Krebs on Security

APRIL 28, 2020

As it turned out, calling the phone number on the back of the credit card from the phone number linked with the card provided the most recent transactions without providing any form of authentication.” “I was appalled that Citi would do that.

Scams

Scams Banking Accountability Financial Services

Facebook, Instagram, TikTok and Twitter Target Resellers of Hacked Accounts

Krebs on Security

FEBRUARY 4, 2021

Any accounts that you value should be secured with a unique and strong password, as well the most robust form of multi-factor authentication available. I advise readers to remove their phone numbers from accounts wherever possible , and to take advantage of a mobile app to generate any one-time codes for multifactor authentication.

Accountability

Accountability Hacking Media Mobile

Owners of 1-Time Passcode Theft Service Plead Guilty

Krebs on Security

SEPTEMBER 2, 2024

agency , a once popular online service that helped attackers intercept the one-time passcodes (OTPs) that many websites require as a second authentication factor in addition to passwords. Three men in the United Kingdom have pleaded guilty to operating otp[.]agency

Accountability

Accountability Banking Passwords Scams

FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked

Krebs on Security

DECEMBER 13, 2022

While the FBI’s InfraGard system requires multi-factor authentication by default, users can choose between receiving a one-time code via SMS or email. “If it was only the phone I will be in [a] bad situation,” USDoD said. “Because I used the person[‘s] phone that I’m impersonating.”

Hacking

Hacking Energy and Utilities Cybercrime Accountability

Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach

Krebs on Security

SEPTEMBER 5, 2023

“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.” The vulnerability exploited by the intruders was patched back in 2020, but the employee never updated his Plex software.

Cryptocurrency

Cryptocurrency Passwords Encryption Accountability

The Life Cycle of a Breached Database

Krebs on Security

JULY 29, 2021

Our continued reliance on passwords for authentication has contributed to one toxic data spill or hack after another. Here’s a closer look at what typically transpires in the weeks or months before an organization notifies its users about a breached database.

Passwords

Passwords Password Management Phishing Scams

Discord Admins Hacked by Malicious Bookmarks

Krebs on Security

MAY 30, 2023

Scavuzzo said the administrator’s account was hijacked even though she had multi-factor authentication turned on. Scavuzzo, who is based in Maine, said the attackers waited until around midnight in his timezone time before using the administrator’s account to send out an unauthorized message about a new Ocean airdrop.

Hacking

Hacking Accountability Scams Cryptocurrency

Busting SIM Swappers and SIM Swap Myths

Krebs on Security

NOVEMBER 6, 2018

” Rose said mobile phone stores could cut down on these crimes in much the same way that potential victims can combat SIM swapping: By relying on dual authentication. He advises people instead use a mobile app like Authy or Google Authenticator to generate the one-time code. ” TWO-FACTOR BREAKDOWN.

Mobile

Mobile Cryptocurrency Accountability Passwords

It’s Way Too Easy to Get a.gov Domain Name

Krebs on Security

NOVEMBER 26, 2019

.” Levine said like the Internet itself, this entire debacle is yet another example of an important resource with potentially explosive geopolitical implications that was never designed with security or authentication in mind. “It turns out that the GSA is pretty good at doing boring clerical stuff,” he said. ”

Government

Government Internet Internet Web Fraud

New Ransom Payment Schemes Target Executives, Telemedicine

Krebs on Security

DECEMBER 8, 2022

Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication. Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities. Encrypting sensitive data wherever possible.

Healthcare

Healthcare Backups Ransomware Insurance

LastPass: ‘Horse Gone Barn Bolted’ is Strong Password

Krebs on Security

SEPTEMBER 22, 2023

To automatically populate the appropriate credentials at any website going forward, you simply authenticate to LastPass using your master password. .” A basic functionality of LastPass is that it will pick and remember lengthy, complex passwords for each of your websites or online services.

Passwords

Passwords Encryption Password Management Cryptocurrency

Does Your Domain Have a Registry Lock?

Krebs on Security

JANUARY 24, 2020

Use 2-factor authentication, and require it to be used by all relevant users and subcontractors. -In Note that this may increase the amount of time it takes going forward to make key changes to the locked domain (such as DNS changes). Use DNSSEC (both signing zones and validating responses).

DNS

DNS Social Engineering Engineering Accountability

Glut of Fake LinkedIn Profiles Pits HR Against the Bots

Krebs on Security

OCTOBER 5, 2022

Our community is all about authentic people having meaningful conversations and to always increase the legitimacy and quality of our community.” . “We do stop the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scams.

Accountability

Accountability Scams Artificial Intelligence Cryptocurrency

Phishers are Angling for Your Cloud Providers

Krebs on Security

AUGUST 30, 2019

Salesforce told KrebsOnSecurity that this was not a compromise of Pardot, but of a Pardot customer account that was not using multi-factor authentication. However, in such setups the content that gets promoted through the client’s domain is actually hosted on the cloud CRM provider’s systems.

Phishing

Phishing Marketing Accountability DNS

Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

Krebs on Security

JANUARY 22, 2019

Contacted by KrebsOnSecurity, GoDaddy acknowledged the authentication weakness documented by Guilmette. “After investigating the matter, our team confirmed that a threat actor(s) abused our DNS setup process,” the company said in an emailed statement.

DNS

DNS Internet Internet Computers and Electronics

‘The Manipulaters’ Improve Phishing, Still Fail at Opsec

Krebs on Security

APRIL 3, 2024

“The data table “User Feedbacks” (sic) exposes what appear to be customer authentication tokens, user identifiers, and even a customer support request that exposes root-level SMTP credentials–all visible by an unauthenticated user on a Manipulaters-controlled domain.

Phishing

Phishing Cybercrime Malware Advertising

Karma Catches Up to Global Phishing Service 16Shop

Krebs on Security

AUGUST 17, 2023

Redline infections steal gobs of data from the victim machine, including a list of recent downloads, stored passwords and authentication cookies, as well as browser bookmarks and auto-fill data.

Phishing

Phishing Passwords Hacking Internet

Booking.com Phishers May Leave You With Reservations

A Day in the Life of a Prolific Voice Phishing Crew

Webinars

Trending Sources

Chinese Innovations Spawn Wave of Toll Phishing Via SMS

Webinars

Crime Shop Sells Hacked Logins to Other Crime Shops

FBI: Spike in Hacked Police Emails, Fake Subpoenas

Recycle Your Phone, Sure, But Maybe Not Your Number

The Rise of One-Time Password Interception Bots

Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services

How 1-Time Passcodes Became a Corporate Liability

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back

Gift Card Gang Extracts Cash From 100k Inboxes Daily

When Low-Tech Hacks Cause High-Impact Breaches

Experian, You Have Some Explaining to Do

Malicious Office 365 Apps Are the Ultimate Insiders

Local Networks Go Global When Domain Names Collide

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

Identity Thieves Bypassed Experian Security to View Credit Reports

How Coinbase Phishers Steal One-Time Passwords

Don’t Let Your Domain Name Become a “Sitting Duck”

Arrest, Raids Tied to ‘U-Admin’ Phishing Kit

How $100M in Jobless Claims Went to Inmates

Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider

Disneyland Malware Team: It’s a Puny World After All

Tricky Phish Angles for Persistence, Not Passwords

Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks

‘Land Lordz’ Service Powers Airbnb Scams

Would You Have Fallen for This Phone Scam?

Facebook, Instagram, TikTok and Twitter Target Resellers of Hacked Accounts

Owners of 1-Time Passcode Theft Service Plead Guilty

FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked

Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach

The Life Cycle of a Breached Database

Discord Admins Hacked by Malicious Bookmarks

Busting SIM Swappers and SIM Swap Myths

It’s Way Too Easy to Get a.gov Domain Name

New Ransom Payment Schemes Target Executives, Telemedicine

LastPass: ‘Horse Gone Barn Bolted’ is Strong Password

Does Your Domain Have a Registry Lock?

Glut of Fake LinkedIn Profiles Pits HR Against the Bots

Phishers are Angling for Your Cloud Providers

Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

‘The Manipulaters’ Improve Phishing, Still Fail at Opsec

Karma Catches Up to Global Phishing Service 16Shop

Stay Connected