Phishing - Cyber Security Informer

Using AI to Scale Spear Phishing

Schneier on Security

AUGUST 13, 2021

The problem with spear phishing it that it takes time and creativity to create individualized enticing phishing emails. The real risk isn’t that AI-generated phishing emails are as good as human-generated ones, it’s that they can be generated at much greater scale. Defcon presentation and slides.

Phishing

Phishing Risk Social Engineering Artificial Intelligence

Defeating Phishing-Resistant Multifactor Authentication

Schneier on Security

NOVEMBER 9, 2022

CISA is now pushing phishing-resistant multifactor authentication. Roger Grimes has an excellent post reminding everyone that “phishing-resistant” is not “phishing proof,” and that everyone needs to stop pretending otherwise. His list of different attacks is particularly useful.

Authentication

Authentication Phishing

AI Will Increase the Quantity—and Quality—of Phishing Scams

Schneier on Security

JUNE 3, 2024

Recent research showed that 60% of participants fell victim to artificial intelligence (AI)-automated phishing, which is comparable to the success rates of non-AI-phishing messages created by human experts. Here’s the full text.

Phishing

Phishing Artificial Intelligence Scams

Man-in-the-Middle Phishing Attack

Schneier on Security

AUGUST 25, 2022

Here’s a phishing campaign that uses a man-in-the-middle attack to defeat multi-factor authentication: Microsoft observed a campaign that inserted an attacker-controlled proxy site between the account users and the work server they attempted to log into.

Phishing

Phishing Authentication Passwords Accountability

5 Key Findings From the 2023 FBI Internet Crime Report

The true figure is likely to be even higher, though, as many identity theft and phishing attacks go unreported. The losses companies suffered in 2023 ransomware attacks increased by 74% compared to those of the previous year, according to new data from the Federal Bureau of Investigation (FBI).

Identity Theft

A Guide to Phishing Attacks

Schneier on Security

JANUARY 27, 2023

This is a good list of modern phishing techniques.

Phishing

Phish-Friendly Domain Registry “.top” Put on Notice

Krebs on Security

JULY 23, 2024

The Chinese company in charge of handing out domain names ending in “ top ” has been given until mid-August 2024 to show that it has put in place systems for managing phishing reports and suspending abusive domains, or else forfeit its license to sell domains. ” Image: Shutterstock. Interisle said.top has roughly 2.76

Phishing

Phishing DNS Scams Technology

‘Tis the Season for the Wayward Package Phish

Krebs on Security

NOVEMBER 4, 2021

Here’s a look at a fairly elaborate SMS-based phishing scam that spoofs FedEx in a bid to extract personal and financial information from unwary recipients. One of dozens of FedEx-themed phishing sites currently being advertised via SMS spam. ” Attempting to visit the domain in the phishing link — o001cfedeex[.]com

Phishing

Phishing Scams Mobile DNS

PayPal Phishing Scam Uses Invoices Sent Via PayPal

Krebs on Security

AUGUST 18, 2022

” A copy of the phishing message included in the PayPal.com invoice. While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. Details of this scam were shared Wednesday with PayPal’s anti-abuse (phish@paypal.com) and media relations teams.

Scams

Scams Phishing Accountability Software

SMS About Bank Fraud as a Pretext for Voice Phishing

Krebs on Security

NOVEMBER 10, 2021

” The remarkable aspect of these phone-based phishing scams is typically the attackers never even try to log in to the victim’s bank account. We don’t know what the fraudsters behind this clever hybrid SMS/voice phishing scam intended to do with the information they might have coaxed from Stevens’ daughter.

Banking

Banking Phishing Scams Accountability

SMS Phishing Attacks are on the Rise

Schneier on Security

APRIL 25, 2022

SMS phishing attacks — annoyingly called “smishing” — are becoming more common. I know that I have been receiving a lot of phishing SMS messages over the past few months. I am not getting the “Fedex package delivered” messages the article talks about.

Phishing

LLMs and Phishing

Schneier on Security

APRIL 10, 2023

Here’s an experiment being run by undergraduate computer science students everywhere: Ask ChatGPT to generate phishing emails, and test whether these are better at persuading victims to respond or click on the link than the usual spam.

Phishing

Phishing Scams Internet Internet

Phishing Domains Tanked After Meta Sued Freenom

Krebs on Security

MAY 26, 2023

The number of phishing websites tied to domain name registrar Freenom dropped precipitously in the months surrounding a recent lawsuit from social networking giant Meta , which alleged the free domain name provider has a long history of ignoring abuse complaints about phishing websites while monetizing traffic to those abusive domains.

Phishing

Phishing Malware

Thanks FedEx, This is Why we Keep Getting Phished

Troy Hunt

FEBRUARY 23, 2024

I've been getting a lot of those "your parcel couldn't be delivered" phishing attacks lately and if you're a human with a phone, you probably have been too. And so, when I received the following SMS earlier this week I was expecting a parcel and I was expecting phishing attacks: So. Parcel or phish?

Phishing

Phishing Scams Banking Social Engineering

This Windows PowerShell Phish Has Scary Potential

Krebs on Security

SEPTEMBER 19, 2024

Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware.

Phishing

Phishing Scams Malware Passwords

Fake Lawsuit Threat Exposes Privnote Phishing Sites

Krebs on Security

APRIL 4, 2024

The disclosure revealed a profitable network of phishing sites that behave and look like the real Privnote, except that any messages containing cryptocurrency addresses will be automatically altered to include a different payment address controlled by the scammers. A screenshot of the phishing domain privatemessage dot net.

Phishing

Phishing Cryptocurrency DDOS Internet

Spear Phishing vs Phishing: What Are The Main Differences?

Tech Republic Security

FEBRUARY 6, 2024

There are a few differences between spear phishing and phishing that can help you identify and protect your organization from threats. Learn about these differences.

Phishing

Phishing Antivirus VPN Software

68k Phishing Victims are Now Searchable in Have I Been Pwned, Courtesy of CERT Poland

Troy Hunt

AUGUST 30, 2023

They'd observed a phishing campaign that had collected 68k credentials from unsuspecting victims and asked if HIBP may be used to help alert these individuals to their exposure. Last week I was contacted by CERT Poland. Data accumulated by the malicious activity spanned from October 2022 until just last week.

Phishing

Phishing Password Management Passwords Banking

‘The Manipulaters’ Improve Phishing, Still Fail at Opsec

Krebs on Security

APRIL 3, 2024

Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called “ The Manipulaters ,” a sprawling web hosting network of phishing and spam delivery platforms. Manipulaters advertisement for “Office 365 Private Page with Antibot” phishing kit sold on the domain heartsender,com.

Phishing

Phishing Cybercrime Malware Advertising

UPS Data Harvested for SMS Phishing Attacks

Schneier on Security

JUNE 23, 2023

I get UPS phishing spam on my phone all the time. Turns out that hackers have been harvesting actual UPS delivery data from a Canadian tracking tool for its phishing SMSs. I never click on it, because it’s so obviously spam.

Phishing

Phishing Cybercrime

Black Hat Fireside Chat: User feedback, AI-infused email security are both required to deter phishing

The Last Watchdog

AUGUST 21, 2024

I recently learned all about the state-of-the art of phishing attacks – the hard way. We discussed just how targeted and contextualized advanced phishing attacks, like the one I experienced, can be. Foolishly, I did so all too quickly. For a full drill down, please give the accompanying podcast a listen.

Phishing

Phishing Internet Internet

Scammers Steal Over $25 Million By Using AI Deepfake Video Call To Convince Suspicious Employee That A Phishing Email Is Legitimate

Joseph Steinberg

FEBRUARY 4, 2024

The worker however, was aware of phishing scams, and was suspicious that the request from the firm’s CFO to issue the $25 Million payment was fraudulent. Million USD at the time of the theft and at present). For those who still do not believe that they can be tricked by deepfakes – the time to wakeup is now.

Artificial Intelligence

Artificial Intelligence Phishing Scams Accountability

Australian Organisations Targeted by Phishing Attacks Disguised as Atlassian

Tech Republic Security

SEPTEMBER 27, 2024

Mimecast said a phishing campaign using Atlassian workspaces shows the growing sophistication of cyber threat actors.

Phishing

Phishing Cyber threats

Threat Actors Exploit Microsoft Sway to Host QR Code Phishing Campaigns

Tech Republic Security

AUGUST 29, 2024

Threat actors are abusing Microsoft Sway to host QR Code phishing campaigns.

Phishing

Why Phishers Love New TLDs Like.shop,top and.xyz

Krebs on Security

DECEMBER 3, 2024

Phishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs) — such as.shop ,top ,xyz — that attract scammers with rock-bottom prices and no meaningful registration requirements, new research finds. ”

Cybercrime

Cybercrime Phishing Accountability Internet

Phishing-as-a-Service Rockstar 2FA continues to be prevalent

Security Affairs

NOVEMBER 29, 2024

Phishing tool Rockstar 2FA targets Microsoft 365 credentials, it uses adversary-in-the-middle (AitM) attacks to bypass multi-factor authentication. Trustwave researchers are monitoring malicious activity associated with Phishing-as-a-Service (PaaS) platforms, their latest report focuses on a toolkit called Rockstar 2FA.

Phishing

Phishing Accountability Authentication Advertising

Midnight Blizzard Escalates Spear-Phishing Attacks On Over 100 Organizations

Tech Republic Security

OCTOBER 31, 2024

Russian hackers, known as Midnight Blizzard, launch targeted spear-phishing on U.S. officials, exploiting RDP files to gain access to data.

Phishing

How to Spot a Phishing Email Attempt

Tech Republic Security

JULY 14, 2024

Phishing attacks are one of the most common types of data breach attempts, with 31,000 phishing attacks launching every single day, according to cybersecurity firm SlashNext. Furthermore, 77% of cybersecurity professionals report being targeted by phishing attacks, proving just how widespread these attacks are.

Phishing

Phishing Data breaches Cybersecurity

How Coinbase Phishers Steal One-Time Passwords

Krebs on Security

OCTOBER 13, 2021

A recent phishing campaign targeting Coinbase users shows thieves are getting cleverer about phishing one-time passwords (OTPs) needed to complete the login process. A Google-translated version of the now-defunct Coinbase phishing site, coinbase.com.password-reset[.]com. The Coinbase phishing panel. million Italians.

Passwords

Passwords Phishing Accountability Mobile

Crooks bank on Microsoft’s search engine to phish customers

Malwarebytes

NOVEMBER 4, 2024

We identified a new wave of phishing for banking credentials that targets consumers via Microsoft’s search engine. One particularly interesting detail is how a phishing website created barely two weeks ago is already indexed and displayed before the official one. We have reported the fraudulent sites to Microsoft already.

Engineering

Engineering Phishing Banking Authentication

Nigerian man Sentenced to 26+ years in real estate phishing scams

Security Affairs

NOVEMBER 4, 2024

for phishing scams that stole millions by hacking email accounts. for phishing scams that resulted in the compromise of millions of email accounts. for phishing scams that resulted in the compromise of millions of email accounts. Nigerian Kolade Ojelade gets 26 years in U.S. ” reads the press release published by DoJ.

Scams

Scams Phishing Identity Theft Accountability

How Phishers Are Slinking Their Links Into LinkedIn

Krebs on Security

FEBRUARY 3, 2022

This search via Urlscan reveals dozens of recent phishing attacks that have leveraged the Slinks feature. A recent phishing site that abused LinkedIn’s marketing redirect. A recent phishing site that abused LinkedIn’s marketing redirect. Urlscan also found this phishing scam from Jan. Image: Urlscan.io.

Phishing

Phishing Marketing Scams Accountability

Expert Tips on How to Spot a Phishing Link

The Hacker News

SEPTEMBER 25, 2024

Phishing attacks are becoming more advanced and harder to detect, but there are still telltale signs that can help you spot them before it's too late. See these key indicators that security experts use to identify phishing links:1. Check Suspicious URLs Phishing URLs are often long, confusing, or filled with random characters.

Phishing

Phishing-as-a-Service "Rockstar 2FA" Targets Microsoft 365 Users with AiTM Attacks

The Hacker News

NOVEMBER 29, 2024

Cybersecurity researchers are warning about malicious email campaigns leveraging a phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA with an aim to steal Microsoft 365 account credentials.

Phishing

Phishing Authentication Accountability Cybersecurity

Identity Phishing: Using Legitimate Cloud Services to Steal User Access

Security Boulevard

DECEMBER 5, 2024

Identity phishing doesn’t just lead to data theft – it can also lead to financial fraud, targeted social engineering attacks and lateral movement across endpoints. The post Identity Phishing: Using Legitimate Cloud Services to Steal User Access appeared first on Security Boulevard.

Phishing

Phishing Social Engineering Engineering Security Awareness

Booking.com Phishers May Leave You With Reservations

Krebs on Security

NOVEMBER 1, 2024

This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. KrebsOnSecurity last week heard from a reader whose close friend received a targeted phishing message within the Booking mobile app just minutes after making a reservation at a California.

Phishing

Phishing Accountability Artificial Intelligence Cybercrime

Europol Shuts Down Major Phishing Scheme Targeting Mobile Phone Credentials

The Hacker News

SEPTEMBER 20, 2024

Law enforcement authorities have announced the takedown of an international criminal network that leveraged a phishing platform to unlock stolen or lost mobile phones.

Mobile

Mobile Phishing

Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack

The Hacker News

OCTOBER 16, 2024

A new spear-phishing campaign targeting Brazil has been found delivering a banking malware called Astaroth (aka Guildma) by making use of obfuscated JavaScript to slip past security guardrails.

Banking

Banking Phishing Malware Retail

Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials

The Hacker News

SEPTEMBER 30, 2024

More than 140,000 phishing websites have been found linked to a phishing-as-a-service (PhaaS) platform named Sniper Dz over the past year, indicating that it's being used by a large number of cybercriminals to conduct credential theft.

Phishing

Phishing Cyber Attacks

Phishing-as-a-Service Rockstar 2FA continues to be prevalent

Security Affairs

NOVEMBER 29, 2024

Phishing tool Rockstar 2FA targets Microsoft 365 credentials, it uses adversary-in-the-middle (AitM) attacks to bypass multi-factor authentication. Trustwave researchers are monitoring malicious activity associated with Phishing-as-a-Service (PaaS) platforms, their latest report focuses on a toolkit called Rockstar 2FA.

Phishing

Phishing Accountability Authentication Advertising

Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks

The Hacker News

SEPTEMBER 15, 2024

Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users' credentials.

Phishing

Phishing Cybersecurity

Iranian State-Sponsored Hacking Attempts

Schneier on Security

JULY 13, 2021

In subsequent phishing emails, TA453 shifted their tactics and began delivering the registration link earlier in their engagement with the target without requiring extensive conversation. The compromised site was configured to capture a variety of credentials.

Hacking

Hacking Phishing Accountability Cybersecurity

Bumblebee and Latrodectus Malware Return with Sophisticated Phishing Strategies

The Hacker News

OCTOBER 22, 2024

Two malware families that suffered setbacks in the aftermath of a coordinated law enforcement operation called Endgame have resurfaced as part of new phishing campaigns. Tracked under the names BlackWidow, IceNova, Lotus,

Phishing

Phishing Malware

Not All MFA is Equal, and the Differences Matter a Lot

Daniel Miessler

MARCH 10, 2022

The answer is remarkably simple, actually— phishing. This means traditional MFA is becoming increasingly useless against phishing in the real world. In other words, is there a type of MFA that’s resistant to phishing? There’s nothing to type, so there’s nothing to phish. The answer is yes.

Authentication

Authentication Phishing Passwords Accountability

Using AI to Scale Spear Phishing

Defeating Phishing-Resistant Multifactor Authentication

Trending Sources

AI Will Increase the Quantity—and Quality—of Phishing Scams

Man-in-the-Middle Phishing Attack

5 Key Findings From the 2023 FBI Internet Crime Report

A Guide to Phishing Attacks

Phish-Friendly Domain Registry “.top” Put on Notice

‘Tis the Season for the Wayward Package Phish

PayPal Phishing Scam Uses Invoices Sent Via PayPal

SMS About Bank Fraud as a Pretext for Voice Phishing

SMS Phishing Attacks are on the Rise

LLMs and Phishing

Phishing Domains Tanked After Meta Sued Freenom

Thanks FedEx, This is Why we Keep Getting Phished

This Windows PowerShell Phish Has Scary Potential

Fake Lawsuit Threat Exposes Privnote Phishing Sites

Spear Phishing vs Phishing: What Are The Main Differences?

68k Phishing Victims are Now Searchable in Have I Been Pwned, Courtesy of CERT Poland

‘The Manipulaters’ Improve Phishing, Still Fail at Opsec

UPS Data Harvested for SMS Phishing Attacks

Black Hat Fireside Chat: User feedback, AI-infused email security are both required to deter phishing

Scammers Steal Over $25 Million By Using AI Deepfake Video Call To Convince Suspicious Employee That A Phishing Email Is Legitimate

Australian Organisations Targeted by Phishing Attacks Disguised as Atlassian

Threat Actors Exploit Microsoft Sway to Host QR Code Phishing Campaigns

Why Phishers Love New TLDs Like.shop,top and.xyz

Phishing-as-a-Service Rockstar 2FA continues to be prevalent

Midnight Blizzard Escalates Spear-Phishing Attacks On Over 100 Organizations

How to Spot a Phishing Email Attempt

How Coinbase Phishers Steal One-Time Passwords

Crooks bank on Microsoft’s search engine to phish customers

Nigerian man Sentenced to 26+ years in real estate phishing scams

How Phishers Are Slinking Their Links Into LinkedIn

Expert Tips on How to Spot a Phishing Link

Phishing-as-a-Service "Rockstar 2FA" Targets Microsoft 365 Users with AiTM Attacks

Identity Phishing: Using Legitimate Cloud Services to Steal User Access

Booking.com Phishers May Leave You With Reservations

Europol Shuts Down Major Phishing Scheme Targeting Mobile Phone Credentials

Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack

Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials

Phishing-as-a-Service Rockstar 2FA continues to be prevalent

Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks

Iranian State-Sponsored Hacking Attempts

Bumblebee and Latrodectus Malware Return with Sophisticated Phishing Strategies

Not All MFA is Equal, and the Differences Matter a Lot

Stay Connected