Web Fraud - Cyber Security Informer

A Day in the Life of a Prolific Voice Phishing Crew

Krebs on Security

JANUARY 7, 2025

Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way.

Phishing

Phishing Cryptocurrency Accountability Social Engineering

Chinese Innovations Spawn Wave of Toll Phishing Via SMS

Krebs on Security

JANUARY 16, 2025

Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass , warning that recipients face fines if a delinquent toll fee remains unpaid.

Phishing

Phishing Scams Mobile Passwords

FBI: Spike in Hacked Police Emails, Fake Subpoenas

Krebs on Security

NOVEMBER 9, 2024

The Federal Bureau of Investigation (FBI) is urging police departments and governments worldwide to beef up security around their email systems, citing a recent increase in cybercriminal services that use hacked police email accounts to send unauthorized subpoenas and customer data requests to U.S.-based based technology companies.

Hacking

Hacking Accountability Government Social Engineering

Booking.com Phishers May Leave You With Reservations

Krebs on Security

NOVEMBER 1, 2024

A number of cybercriminal innovations are making it easier for scammers to cash in on your upcoming travel plans. This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen.

Phishing

Phishing Accountability Artificial Intelligence Cybercrime

How Phished Data Turns into Apple & Google Wallets

Krebs on Security

FEBRUARY 18, 2025

Carding — the underground business of stealing, selling and swiping stolen payment card data — has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market.

Phishing

Phishing Mobile Scams Retail

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

Krebs on Security

JUNE 15, 2024

A 22-year-old man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered Spider , a cybercrime group suspected of hacking into Twilio , LastPass , DoorDash , Mailchimp , and nearly 130 other organizations over the past two years.

Hacking

Hacking Phishing Cybercrime Passwords

How to Tell a Job Offer from an ID Theft Trap

Krebs on Security

MAY 21, 2021

One of the oldest scams around — the fake job interview that seeks only to harvest your personal and financial data — is on the rise, the FBI warns. Here’s the story of a recent LinkedIn impersonation scam that led to more than 100 people getting duped, and one almost-victim who decided the job offer was too-good-to-be-true.

Scams

Scams Accountability Advertising Web Fraud

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

Krebs on Security

NOVEMBER 21, 2020

Fraudsters redirected email and web traffic destined for several cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees at GoDaddy , the world’s largest domain name registrar, KrebsOnSecurity has learned.

Cryptocurrency

Cryptocurrency VPN Scams Social Engineering

Hoax Email Blast Abused Poor Coding in FBI Website

Krebs on Security

NOVEMBER 13, 2021

The Federal Bureau of Investigation (FBI) confirmed today that its fbi.gov domain name and Internet address were used to blast out thousands of fake emails about a cybercrime investigation.

Internet

Internet Internet Hacking Accountability

U.S. Secret Service: “Massive Fraud” Against State Unemployment Insurance Programs

Krebs on Security

MAY 16, 2020

A well-organized Nigerian crime ring is exploiting the COVID-19 crisis by committing large-scale fraud against multiple state unemployment insurance programs, with potential losses in the hundreds of millions of dollars, according to a new alert issued by the U.S. Secret Service.

Insurance

Insurance Banking Identity Theft Accountability

FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked

Krebs on Security

DECEMBER 13, 2022

InfraGard , a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum.

Hacking

Hacking Energy and Utilities Cybercrime Accountability

The Life Cycle of a Breached Database

Krebs on Security

JULY 29, 2021

Every time there is another data breach, we are asked to change our password at the breached entity. But the reality is that in most cases by the time the victim organization discloses an incident publicly the information has already been harvested many times over by profit-seeking cybercriminals.

Passwords

Passwords Password Management Phishing Scams

Would You Have Fallen for This Phone Scam?

Krebs on Security

APRIL 28, 2020

You may have heard that today’s phone fraudsters like to use use caller ID spoofing services to make their scam calls seem more believable.

Scams

Scams Banking Accountability Financial Services

The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back

Krebs on Security

NOVEMBER 19, 2021

One of the more common ways cybercriminals cash out access to bank accounts involves draining the victim’s funds via Zelle , a “peer-to-peer” (P2P) payment service used by many financial institutions that allows customers to quickly send cash to friends and family.

Scams

Scams Banking Passwords Authentication

How Coinbase Phishers Steal One-Time Passwords

Krebs on Security

OCTOBER 13, 2021

A recent phishing campaign targeting Coinbase users shows thieves are getting cleverer about phishing one-time passwords (OTPs) needed to complete the login process.

Passwords

Passwords Phishing Accountability Mobile

Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach

Krebs on Security

SEPTEMBER 5, 2023

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users.

Cryptocurrency

Cryptocurrency Passwords Encryption Accountability

Recycle Your Phone, Sure, But Maybe Not Your Number

Krebs on Security

MAY 19, 2021

Many online services allow users to reset their passwords by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over one thanks to a divorce, job termination or financial crisis can be devastating.

Mobile

Mobile Wireless Accountability Authentication

Man Robbed of 16 Bitcoin Sues Young Thieves’ Parents

Krebs on Security

AUGUST 25, 2021

In 2018, Andrew Schober was digitally mugged for approximately $1 million worth of bitcoin. After several years of working with investigators, Schober says he’s confident he has located two young men in the United Kingdom responsible for using a clever piece of digital clipboard-stealing malware that let them siphon his crypto holdings.

Cryptocurrency

Cryptocurrency Malware Mobile Accountability

Be Very Sparing in Allowing Site Notifications

Krebs on Security

NOVEMBER 17, 2020

An increasing number of websites are asking visitors to approve “notifications,” browser modifications that periodically display messages on the user’s mobile or desktop device.

Antivirus

Antivirus Advertising Internet Internet

Pay Up, Or We’ll Make Google Ban Your Ads

Krebs on Security

FEBRUARY 17, 2020

A new email-based extortion scheme apparently is making the rounds, targeting Web site owners serving banner ads through Google’s AdSense program.

Scams

Scams Advertising Accountability Web Fraud

How Phishers Are Slinking Their Links Into LinkedIn

Krebs on Security

FEBRUARY 3, 2022

If you received a link to LinkedIn.com via email, SMS or instant message, would you click it?

Phishing

Phishing Marketing Scams Accountability

This Windows PowerShell Phish Has Scary Potential

Krebs on Security

SEPTEMBER 19, 2024

Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware.

Phishing

Phishing Scams Malware Passwords

Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks

Krebs on Security

JULY 15, 2024

At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven’t set up their new accounts.

Accountability

Accountability Cryptocurrency Passwords DNS

Riding the State Unemployment Fraud ‘Wave’

Krebs on Security

MAY 23, 2020

When a reliable method of scamming money out of people, companies or governments becomes widely known, underground forums and chat networks tend to light up with activity as more fraudsters pile on to claim their share. And that’s exactly what appears to be going on right now as multiple U.S.

Insurance

Insurance Accountability Banking Government

Scam ‘Funeral Streaming’ Groups Thrive on Facebook

Krebs on Security

SEPTEMBER 18, 2024

Scammers are flooding Facebook with groups that purport to offer video streaming of funeral services for the recently deceased. Friends and family who follow the links for the streaming services are then asked to cough up their credit card information.

Scams

Scams DNS Internet Internet

Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider

Krebs on Security

JANUARY 30, 2024

authorities arrested a 19-year-old Florida man charged with wire fraud, aggravated identity theft, and conspiring with others to use SIM-swapping to steal cryptocurrency. 9, 2024, U.S. technology companies during the summer of 2022.

Social Engineering

Social Engineering Mobile Passwords Cybercrime

Why Your VPN May Not Be As Secure As It Claims

Krebs on Security

MAY 6, 2024

Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage.

VPN

VPN Wireless Internet Internet

Local Networks Go Global When Domain Names Collide

Krebs on Security

AUGUST 23, 2024

The proliferation of new top-level domains (TLDs) has exacerbated a well-known security weakness: Many organizations set up their internal Microsoft authentication systems years ago using domain names in TLDs that didn’t exist at the time.

DNS

DNS Internet Internet Authentication

Identity Thieves Bypassed Experian Security to View Credit Reports

Krebs on Security

JANUARY 9, 2023

Identity thieves have been exploiting a glaring security weakness in the website of Experian , one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history.

Identity Theft

Identity Theft Accountability Authentication Web Fraud

Apple AirTag Bug Enables ‘Good Samaritan’ Attack

Krebs on Security

SEPTEMBER 28, 2021

The new $30 AirTag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owner’s phone number if the AirTag has been set to lost mode.

Mobile

Mobile Phishing Malware Software

Malicious Office 365 Apps Are the Ultimate Insiders

Krebs on Security

MAY 5, 2021

Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page.

Accountability

Accountability Advertising Passwords Phishing

Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work

Krebs on Security

OCTOBER 8, 2020

There’s an old adage in information security: “Every company gets penetration tested, whether or not they pay someone for the pleasure.” ” Many organizations that do hire professionals to test their network security posture unfortunately tend to focus on fixing vulnerabilities hackers could use to break in.

Cybercrime

Cybercrime VPN Malware Ransomware

This Service Helps Malware Authors Fix Flaws in their Code

Krebs on Security

MAY 18, 2020

Here’s a look at one long-lived malware vulnerability testing service that is used and run by some of the Dark Web’s top cybercriminals. Almost daily now there is news about flaws in commercial software that lead to computers getting hacked and seeded with malware.

Malware

Malware Cybercrime Ransomware Marketing

Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services

Krebs on Security

JULY 26, 2024

Google says it recently fixed an authentication weakness that allowed crooks to circumvent the email verification required to create a Google Workspace account, and leverage that to impersonate a domain holder at third-party services that allow logins through Google’s “Sign in with Google” feature.

Accountability

Accountability Authentication Cryptocurrency Web Fraud

The Rise of One-Time Password Interception Bots

Krebs on Security

SEPTEMBER 29, 2021

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords.

Passwords

Passwords Mobile Authentication Banking

How Cybercriminals are Weathering COVID-19

Krebs on Security

APRIL 30, 2020

In many ways, the COVID-19 pandemic has been a boon to cybercriminals: With unprecedented numbers of people working from home and anxious for news about the virus outbreak, it’s hard to imagine a more target-rich environment for phishers, scammers and malware purveyors.

Cybercrime

Cybercrime Computers and Electronics Marketing Scams

Fake CISO Profiles on LinkedIn Target Fortune 500s

Krebs on Security

SEPTEMBER 30, 2022

Someone has recently created a large number of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. It’s not clear who’s behind this network of fake CISOs or what their intentions may be.

CISO

CISO Cybercrime Accountability Information Security

PayPal Phishing Scam Uses Invoices Sent Via PayPal

Krebs on Security

AUGUST 18, 2022

Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives — which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction — state that the user’s account is about to be charged hundreds of dollars.

Scams

Scams Phishing Accountability Software

The Stark Truth Behind the Resurgence of Russia’s Fin7

Krebs on Security

JULY 10, 2024

The Russia-based cybercrime group dubbed “ Fin7 ,” known for phishing and malware attacks that have cost victim organizations an estimated $3 billion in losses since 2013, was declared dead last year by U.S. authorities.

Phishing

Phishing Cybercrime Malware Software

Gift Card Gang Extracts Cash From 100k Inboxes Daily

Krebs on Security

SEPTEMBER 2, 2021

Some of the most successful and lucrative online scams employ a “low-and-slow” approach — avoiding detection or interference from researchers and law enforcement agencies by stealing small bits of cash from many people over an extended period.

Accountability

Accountability Authentication Passwords Hacking

Crime Shop Sells Hacked Logins to Other Crime Shops

Krebs on Security

JANUARY 21, 2022

Up for the “Most Meta Cybercrime Offering” award this year is Accountz Club , a new cybercrime store that sells access to purloined accounts at services built for cybercriminals, including shops peddling stolen payment cards and identities, spamming tools, email and phone bombing services, and those selling authentication cookies for a (..)

Hacking

Hacking Cybercrime Passwords Authentication

Hackers Claim They Breached T-Mobile More Than 100 Times in 2022

Krebs on Security

FEBRUARY 28, 2023

Image: Shutterstock.com Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests.

Mobile

Mobile Phishing Authentication Advertising

New Anti Anti-Money Laundering Services for Crooks

Krebs on Security

AUGUST 13, 2021

A new dark web service is marketing to cybercriminals who are curious to see how their various cryptocurrency holdings and transactions may be linked to known criminal activity.

Cryptocurrency

Cryptocurrency Marketing Ransomware Financial Services

Crooked Cops, Stolen Laptops & the Ghost of UGNazi

Krebs on Security

SEPTEMBER 30, 2024

A California man accused of failing to pay taxes on tens of millions of dollars allegedly earned from cybercrime also paid local police officers hundreds of thousands of dollars to help him extort, intimidate and silence rivals and former business partners, the government alleges.

Cryptocurrency

Cryptocurrency Government Internet Internet

A Day in the Life of a Prolific Voice Phishing Crew

Chinese Innovations Spawn Wave of Toll Phishing Via SMS

Trending Sources

FBI: Spike in Hacked Police Emails, Fake Subpoenas

Booking.com Phishers May Leave You With Reservations

How Phished Data Turns into Apple & Google Wallets

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

How to Tell a Job Offer from an ID Theft Trap

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

Hoax Email Blast Abused Poor Coding in FBI Website

U.S. Secret Service: “Massive Fraud” Against State Unemployment Insurance Programs

FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked

The Life Cycle of a Breached Database

Would You Have Fallen for This Phone Scam?

The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back

How Coinbase Phishers Steal One-Time Passwords

Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach

Recycle Your Phone, Sure, But Maybe Not Your Number

Man Robbed of 16 Bitcoin Sues Young Thieves’ Parents

Be Very Sparing in Allowing Site Notifications

Pay Up, Or We’ll Make Google Ban Your Ads

How Phishers Are Slinking Their Links Into LinkedIn

This Windows PowerShell Phish Has Scary Potential

Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks

Riding the State Unemployment Fraud ‘Wave’

Scam ‘Funeral Streaming’ Groups Thrive on Facebook

Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider

Why Your VPN May Not Be As Secure As It Claims

Local Networks Go Global When Domain Names Collide

Identity Thieves Bypassed Experian Security to View Credit Reports

Apple AirTag Bug Enables ‘Good Samaritan’ Attack

Malicious Office 365 Apps Are the Ultimate Insiders

Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work

This Service Helps Malware Authors Fix Flaws in their Code

Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services

The Rise of One-Time Password Interception Bots

How Cybercriminals are Weathering COVID-19

Fake CISO Profiles on LinkedIn Target Fortune 500s

PayPal Phishing Scam Uses Invoices Sent Via PayPal

The Stark Truth Behind the Resurgence of Russia’s Fin7

Gift Card Gang Extracts Cash From 100k Inboxes Daily

Crime Shop Sells Hacked Logins to Other Crime Shops

Hackers Claim They Breached T-Mobile More Than 100 Times in 2022

New Anti Anti-Money Laundering Services for Crooks

Crooked Cops, Stolen Laptops & the Ghost of UGNazi

Stay Connected