CySecurity News - Latest Information Security and Hacking Incidents: Cyber Fraud

AI Deepfakes Cyber Fraud Cyber Security Deepfake Deepfake Fraud Digital Identity Risks Internet Safety

Deepfake Fraud Expands as Synthetic Media Targets Online Identity Verification Systems

Beyond spreading false stories or fueling viral jokes, deepfakes are shifting into sharper, more dangerous forms. Security analysts point out how fake videos and audio clips now play a growing role in trickier scams - ones aimed at breaking through digital ID checks central to countless web-based platforms.

Now shaping much of how companies operate online, verifying who someone really is sits at the core of digital safety. Customer sign-up at financial institutions, drivers joining freelance platforms, sellers accessing marketplaces, employment checks done remotely, even resetting lost accounts - each depends on proving a person exists beyond a screen.

Yet here comes a shift: fraudsters increasingly twist live authentication using synthetic media made by artificial intelligence. Attackers now focus less on tricking face scans. They pretend to be actual people instead. By doing so, they secure authorized entry into digital platforms. After slipping past verification layers, their access often spreads - crossing personal apps and corporate networks alike. Long-term hold over hijacked profiles becomes the goal. This shift allows repeated intrusions without raising alarms.

What security teams now notice is a blend of methods aimed at fooling identity checks. High-resolution fake faces appear alongside cloned voices - both able to get through fast login verifications. Stolen video clips come into play during replay attempts, tricking systems expecting live input. Instead of building from scratch, hackers sometimes reuse existing recordings to test weak spots often. Before the software even analyzes the feed, manipulated streams slip in through injection tactics that alter what gets seen.

Still, these methods point to an escalating issue for groups counting only on deepfake spotting tools. More specialists now suggest that checking digital content by itself falls short against today’s identity scams. Rather than focusing just on files, defenses ought to examine every step of the ID check process - spotting subtle signs something might be off. Starting with live video analysis, Incode Deepsight checks if the stream has been tampered with.

Instead of relying solely on images, it confirms identity throughout the entire session. While processing data instantly, the tool examines device security features too. Because behavior patterns matter, slight movements or response timing help indicate real people. Even subtle cues, like how someone holds a phone, become part of the evaluation. Though focused on accuracy, its main role is spotting mismatches across different inputs. Deepfakes pose serious threats when used to fake identities. When these fakes slip through defenses, criminals may set up false profiles built from artificial personas.

Accessing real user accounts becomes possible under such breaches. Verification steps in online job onboarding might be tricked with fabricated visuals. Sensitive business networks could then open to unauthorized entry. Not every test happens in a lab - some scientists now check how detection tools hold up outside controlled settings. Work from Purdue University looked into this by testing algorithms against actual cases logged in the Political Deepfakes Incident Database. Real clips pulled from sites like YouTube, TikTok, Instagram, and X (formerly Twitter) make up the collection used for evaluation.

Unexpected results emerged: detection tools tend to succeed inside lab settings yet falter when faced with actual recordings altered by compression or poor capture quality. Complexity grows because hackers mix methods - replay tactics layered with automated scripts or injected data - which pushes identification efforts further into uncertainty. Security specialists believe trust won’t hinge just on recognizing faces or voices.

Instead, protection may come from checking multiple signals throughout a digital interaction. When one method misses something, others can still catch warning signs. Confidence grows when systems look at patterns over time, not isolated moments. Layers make it harder for deception to go unnoticed. A single flaw doesn’t collapse the whole defense. Frequent shifts in digital threats push experts to treat proof of identity as continuous, not fixed at entry. Over time, reliance on single checkpoints fades when systems evolve too fast.

The Global Cyber Fraud Wave Is Being Supercharged by Artificial Intelligence



 

Telecom Fraud Prevention

AI security risks Artificial Intelligence Cybersecurity Cyber Fraud Cyber Fraud Detection Cyber Threats Ransomware Threat Landscape Telecom Fraud Prevention

The Global Cyber Fraud Wave Is Being Supercharged by Artificial Intelligence

It is becoming increasingly common for organizations to rethink how security operations are structured and managed as the digital threat landscape continues to evolve. Artificial intelligence is increasingly becoming an integral part of modern cyber defense strategies due to its increasing complexity.

As networks, endpoints, and cloud infrastructures generate large quantities of telemetry, security teams are turning to advanced machine learning models and intelligent analytics to process those data. As a result, these systems are able to identify subtle anomalies and behavioral patterns which would otherwise be hidden by conventional monitoring frameworks, allowing for earlier detection of malicious behavior.

In addition to improving cybersecurity workflow efficiency, AI is also transforming cybersecurity operations. With adaptive algorithms that continually refine their analytical models, tasks that previously required extensive manual oversight can now be automated, such as log correlation, threat triage, and vulnerability assessment.

Artificial intelligence allows security professionals to concentrate on more strategic and investigative activities, such as threat hunting and incident response planning, by reducing the operational burden on human analysts. Organizations are facing increasingly sophisticated adversaries who utilize automation and advanced techniques in order to circumvent traditional defenses.

The shift is particularly important as adversaries become increasingly sophisticated. Additionally, AI can strengthen proactive defense mechanisms by analyzing historical attacks and behavioral indicators.

Using AI-driven platforms, organizations can detect phishing campaigns in real time using linguistic and contextual analysis as well as flag suspicious activity across distributed environments in advance of emerging attack vectors. This continuous learning capability allows these systems to adapt to changes in the threat landscape, enhancing their accuracy and resilience as new patterns of malicious activity emerge.

Therefore, artificial intelligence is becoming a strategic asset as well as a defensive necessity, enabling organizations to deal with cyber threats more effectively, efficiently, and adaptably while ensuring the security of critical data and digital infrastructure.

In the telecommunications sector, fraud has been a persistent operational and security concern for many years, resulting in considerable financial losses and reputational consequences. In order to identify irregular usage patterns and protect subscriber accounts, telecom operators traditionally rely on multilayered monitoring controls and rule-based fraud management systems.

Although the industry is rapidly expanding into adjacent digital services, including mobile payments, digital wallets, and payment service banking, conventional boundaries that once separated the telecom industry from the financial sector have begun to become blurred. Increasingly, telecom networks serve as foundational infrastructure for digital transactions, identity verification, and financial connectivity, rather than merely serving as communication channels.

By resulting in this structural shift, the attack surface has been significantly increased, resulting in a more complex and interconnected fraud environment, where threats are capable of propagating across multiple digital platforms. At the same time, artificial intelligence is rapidly transforming the way fraud risks are managed and emergence occurs.

With the use of artificial intelligence-driven automation, sophisticated threats actors are orchestrating highly scalable fraud campaigns, generating convincing phishing messages, utilizing social engineering tactics, and analyzing network vulnerabilities more quickly than ever before. This capability enables fraudulent schemes to evolve dynamically, adapting more rapidly than traditional detection mechanisms.

In spite of this, technological advances are equipping telecommunications providers with more advanced defensive tools as well. A fraud detection platform based on artificial intelligence can analyze huge volumes of network telemetry and transaction data, analyzing signals across communication and payment systems in real time to identify subtle indicators of compromise.

By analyzing behavior patterns, detecting anomalies, and modeling predictive patterns, security teams are able to detect suspicious activities earlier and respond more precisely. Additionally, the economic implications of telecom-related fraud emphasize the need to strengthen these defenses. The telecommunications industry has been estimated to have suffered tens of billions of dollars in losses in recent years as a result of digital exploitation on a grand scale.

In emerging digital economies, this issue is particularly acute, since mobile connectivity is increasingly serving as a bridge to financial inclusion. Fraud incidents that occur on telecommunications networks that support digital banking, mobile money transfers, and online commerce can have consequences that go beyond the service providers themselves.

Interconnected platforms may be subject to a variety of regulatory exposures, operational disruptions, or declining consumer confidence at the same time, affecting both telecommunications and financial services simultaneously. Increasing convergence between communication networks and financial services is shifting telecom operators' responsibilities in light of their role in the digital payment ecosystem.

In addition to ensuring network reliability, providers are also expected to safeguard financial transactions occurring across their infrastructure as digital payment ecosystems grow. In light of the significant interrelationship between mobile and online banking ecosystems, a number of scams target these populations.

As a consequence of fraudulent activity occurring in such interconnected systems, it can have cascading effects across multiple organizations, leading to regulatory scrutiny and eroding trust within the entire digital economy.

The challenge for telecommunications companies is therefore no longer limited to managing network abuse alone; they must build resilient, intelligence-driven fraud prevention frameworks capable of protecting a complex digital environment that is becoming increasingly complex. Several studies conducted by the industry indicates that cyber threat operations are in the process of undergoing a significant transformation.

Attackers are increasingly orchestrating coordinated campaigns that incorporate traditional social engineering techniques with the speed and scale of automated technology. The use of artificial intelligence is now integral to the entire attack lifecycle, from early reconnaissance and target profiling to deceptive communication strategies and operational decision-making.

In the context of everyday business environments, organizations encounter increasingly high-risk interactions with automated systems as AI-powered tools become more accessible. Based on data collected in recent months, it appears that a substantial percentage of enterprise AI interactions involve prompts or requests that raise potential security concerns, demonstrating how the rapid integration of artificial intelligence into corporate workflows presents new opportunities for misappropriation.

Along with this trend, ransomware ecosystems are also maturing into fragmented and scalable models. It has been observed that the landscape is becoming more characterized by loosely connected networks of specialized operators rather than a few centralized threat groups.

As a consequence of decentralization, cybercriminals have been able to expand their operations at an exponential rate, increasing both the number of victims targeted and the speed with which campaigns can be executed.

Moreover, artificial intelligence is helping to streamline target identification, optimize extortion strategies, and automate negotiation and infrastructure management functions. Consequently, a more adaptive and resilient criminal ecosystem has been created that is capable of sustaining persistent global campaigns.

Social engineering tactics are also embracing a broader array of communication channels than traditional phishing emails. Deception is increasingly coordinated by threat actors across email, web platforms, enterprise collaboration tools, and voice communication channels. Security experts have observed a sharp increase in methods for manipulating user trust by issuing seemingly legitimate technical prompts or support instructions, often encouraging individuals to provide sensitive information or execute commands.

As a result, phone-based impersonation attacks have evolved into structured intrusion attempts targeted at corporate help desks and internal support functions, resulting in more targeted intrusion attempts. In the age of cloud-based computing, browsers, software-as-a-service environments, and collaborative digital workspaces, artificial intelligence will become an integral part of critical trust layers which adversaries will attempt to exploit.

Besides user-focused attacks, infrastructure-based vulnerabilities are also expanding the threat surface, enabling hackers to blend malicious activity into legitimate network traffic as covert entry points. Edge devices, virtual private network gateways, and internet-connected systems are increasingly being used as covert entry points by attackers.

The lack of oversight of these devices can result in persistent access routes that remain undetected within complex enterprise architectures. There are also additional risks associated with the infrastructure that supports artificial intelligence. As machine learning models, automated agents, and supporting services become integrated into enterprise technology stacks, significant configuration weaknesses have been identified across a wide number of deployments, highlighting potential exposures.

As a result of these developments, cybersecurity leaders are reconsidering the structure of defensive strategies in an era marked by machine-speed attacks. Analysts have increasingly emphasized that responding to incidents after they occur is no longer sufficient; organizations must design security frameworks that prioritize prevention and resilience from the very beginning.

To ensure these foundational controls can withstand automated and coordinated attacks, security teams need to reevaluate them across networks, endpoints, cloud platforms, communication systems, and secure access environments.

Security teams face the challenge of facilitating artificial intelligence adoption without introducing unmanaged risks as it becomes incorporated into daily business processes. Keeping a clear picture of the use of artificial intelligence, both sanctioned and unsanctioned, as well as enforcing policies, is essential to reducing the potential for data leakage and misuse.

In addition, protecting modern digital workspaces, where human decision-making increasingly intersects with automated technologies, is imperative. Several tools, including email platforms, web browsers, collaboration tools, and voice systems, form an integrated operation environment that needs to be secured as a single trust domain.

In addition to strengthening the protection of edge infrastructure, maintaining an accurate inventory of connected devices can assist in reducing the possibility of attackers exploiting hidden entry points. A key component of maintaining resilience against artificial intelligence-driven cyber threats is consistent visibility across hybrid environments that encompass both on-premises infrastructures and cloud platforms along with distributed edge systems.

By integrating oversight across these layers and prioritizing prevention-focused security models, organizations can reduce operational blind spots and enhance their defenses against rapidly evolving cyber threats. Industry observers emphasize that, under these circumstances, the ability to defend against AI-enabled cyber fraud will be less dependent upon isolated tools and more dependent upon coordinated security architectures.

The telecommunications and digital service providers are expected to strengthen collaboration across the technological, financial, and regulatory ecosystems, as well as embed intelligence-driven monitoring into every layer of their infrastructure. It is essential to continually model fraud threats, use adaptive security analytics, and tighten up governance of emerging technologies to anticipate how fraud tactics evolve as innovations progress.

By emphasizing proactive risk management and strengthening trust across interconnected digital platforms, organizations can be better prepared to address increasingly automated threats while maintaining the integrity of the rapidly expanding digital economy.

Meta Targets 150K Accounts in Southeast Asia Scam Operation



 

Southeast Asia

Cyber Fraud Law Enforcement Meta Scam Southeast Asia

Meta Targets 150K Accounts in Southeast Asia Scam Operation

Meta announced that it has removed more than 150,000 accounts tied to organized scam centers operating in Southeast Asia, describing the move as part of a large international effort to disrupt coordinated online fraud networks.

The enforcement action was carried out with assistance from authorities in several countries. Law enforcement agencies and government partners involved in the operation included officials from Thailand, the United States, the United Kingdom, Canada, South Korea, Japan, Singapore, the Philippines, Australia, New Zealand, and Indonesia. According to Meta, the joint effort resulted in 21 individuals being arrested by the Royal Thai Police.

This latest crackdown builds on an earlier pilot initiative launched in December 2025. During that initial phase, Meta removed approximately 59,000 accounts, Pages, and Groups from its platforms that were connected to similar fraudulent activity. The earlier investigation also led to the issuance of six arrest warrants by authorities.

In a statement explaining the action, Meta said that online scams have grown increasingly complex and organized over recent years. Criminal networks, often operating from countries such as Cambodia, Myanmar, and Laos, have established large scam compounds that function in many ways like organized business operations. These groups typically use structured teams, scripted communication strategies, and digital tools designed to evade detection while targeting victims on a global scale. According to the company, the impact of such scams extends far beyond financial loss, as they can severely disrupt lives and weaken trust in digital communication platforms.

Alongside the enforcement action, Meta also announced several new safety features aimed at helping users identify and avoid scam attempts.

One of these tools introduces new warning messages on Facebook that notify users when they receive communication from accounts that display characteristics commonly linked to fraudulent activity. Another safeguard has been introduced on WhatsApp to address a tactic used by scammers who attempt to persuade users to scan a QR code. If successful, this method can link the attacker’s device to the victim’s WhatsApp account, allowing them to access messages and impersonate the account holder. Meta said its system will now notify users when suspicious device-linking requests are detected.

The company is also expanding scam detection on Messenger. When a conversation with a new contact begins to resemble known fraud patterns, such as questionable job opportunities or requests that appear unusual, the platform may prompt users to share recent messages so that an artificial intelligence system can evaluate whether the interaction matches known scam behavior.

Meta also disclosed broader enforcement statistics related to scams on its platforms. Throughout 2025, the company removed more than 159 million advertisements that violated its policies related to fraud and deception. In addition, it disabled approximately 10.9 million Facebook and Instagram accounts that investigators linked to organized scam centers.

To further address fraudulent activity, the company said it plans to expand its advertiser verification program. The goal of this measure is to increase transparency by confirming the identities of advertisers and reducing the ability of malicious actors to misrepresent themselves while running advertisements.

The announcement comes at a time when governments are intensifying efforts to address online fraud. The UK Government recently introduced a new Online Crime Centre designed to focus specifically on cybercrime, including scams connected to organized fraud operations operating in regions such as Southeast Asia, West Africa, Eastern Europe, India, and China.

The centre will bring together specialists from several sectors, including government agencies, law enforcement, intelligence services, financial institutions, mobile network providers, and major technology companies. The initiative is expected to begin operations next month.

The project forms part of the United Kingdom’s broader Fraud Strategy 2026–2029, a policy framework aimed at strengthening the country’s response to fraud and financial crime. As part of this strategy, authorities plan to use artificial intelligence to detect emerging scam patterns, identify suspicious bank transfers more quickly, and deploy “scam-baiting” chatbots designed to interact with fraudsters in order to gather intelligence.

Officials said the new centre, supported by more than £30 million in funding, will focus on identifying the digital infrastructure used by organized crime groups. This includes tracking fraudulent accounts, websites, and phone numbers used in scam operations. Authorities aim to shut down these resources at scale by blocking scam messages, freezing financial accounts linked to criminal activity, removing fraudulent social media profiles, and disrupting scam networks at their source.

Phishing Campaign Abuses .arpa Domain and IPv6 Tunnels to Evade Enterprise Security Defenses



 

reverse DNS exploitation

CNAME hijacking Cyber Fraud DNS infrastructure attack Infoblox Threat Intel IPv6 tunnel phishing reverse DNS exploitation

Phishing Campaign Abuses .arpa Domain and IPv6 Tunnels to Evade Enterprise Security Defenses

Cybersecurity experts at Infoblox Threat Intel have identified a sophisticated phishing operation that manipulates core internet infrastructure to slip past enterprise security mechanisms.

The campaign introduces an unusual evasion strategy: attackers are exploiting the .arpa top-level domain (TLD) while leveraging IPv6 tunnel services to host phishing pages. This method allows malicious actors to sidestep traditional domain reputation systems, posing a growing challenge for security teams.

Unlike public-facing domains such as .com or .net, the .arpa TLD is reserved strictly for internal internet functions. It primarily supports reverse DNS lookups, translating IP addresses into domain names, and was never intended to serve public web content.

Researchers found that attackers are capitalizing on weaknesses within DNS record management systems. By using free IPv6 tunnel providers, threat actors obtain control over certain IPv6 address ranges. Rather than configuring reverse DNS pointer (PTR) records as expected, they create standard A records under .arpa subdomains. This results in fully qualified domain names that appear to be legitimate infrastructure addresses—entities that security tools generally consider trustworthy and therefore seldom inspect closely.

Attack Chain and CNAME Hijacking

According to Infoblox, the campaign often starts with malspam emails impersonating well-known consumer brands. The emails feature a single clickable image that either advertises a prize or warns about a disrupted subscription.

Once clicked, victims are routed through a sophisticated Traffic Distribution System (TDS). The TDS analyzes the incoming traffic, specifically filtering for mobile users on residential IP networks, before ultimately delivering the malicious content.

In addition to abusing the .arpa namespace, the attackers are also exploiting dangling CNAME records. They have taken control of outdated subdomains belonging to respected government bodies, media outlets, and academic institutions. By registering expired domains that abandoned CNAME records still reference, they effectively inherit the reputation of trusted organizations, allowing malicious traffic to blend in seamlessly.

Dr. Renée Burton, Vice President at Infoblox Threat Intel, emphasized the severity of this tactic, noting that "weaponizing the .arpa namespace effectively turns the core of the internet into a phishing delivery mechanism."

Because reverse DNS domains inherently carry a clean reputation and lack conventional registration details, security systems that depend on URL analysis and blocklists often fail to identify the threat.

Experts recommend that organizations begin viewing foundational DNS infrastructure as a potential attack surface. Proactive monitoring, particularly for unusual record creation within the .arpa namespace, along with specialized filtering controls, will be critical to defending against this evolving threat.

U.S. Justice Department Seizes $61 Million in Tether Linked to ‘Pig Butchering’ Crypto Scams



 

U.S. Department of Justice

cryptocurrency Cyber Fraud DoJ crypto seizure pig butchering scam Tether freeze U.S. Department of Justice

U.S. Justice Department Seizes $61 Million in Tether Linked to ‘Pig Butchering’ Crypto Scams

The U.S. Department of Justice (DoJ) has revealed that it seized approximately $61 million in Tether connected to fraudulent cryptocurrency operations commonly referred to as “pig butchering” scams.

According to the department, investigators traced the confiscated digital assets to wallet addresses allegedly used to launder funds obtained through cryptocurrency investment fraud schemes. The stolen proceeds were reportedly siphoned from victims who were manipulated into investing in fake platforms promising lucrative returns.

"Criminal actors and professional money launderers use cyber-enabled fraud schemes to swindle their victims and conceal their ill-gotten gains," said HSI Charlotte Acting Special Agent in Charge Kyle D. Burns.

"HSI special agents work diligently to trace the illicit proceeds of crime across the globe to disrupt and dismantle the transnational criminal organizations that seek to defraud hardworking Americans."

Authorities explained that these schemes typically begin with scammers initiating contact through dating platforms or social media messaging applications. The perpetrators build trust by posing as romantic interests or financial advisors before persuading victims to invest in fabricated cryptocurrency opportunities.

Officials further noted that many of these operations are allegedly run from scam compounds based primarily in Southeast Asia. Individuals trafficked under false promises of well-paying jobs are reportedly forced to participate in the schemes. Their passports are confiscated, and they are coerced into deceiving targets online under threats of severe punishment.

Victims are directed to professional-looking but fraudulent investment websites that display falsified portfolios and exaggerated profits. These manipulated dashboards are designed to encourage larger investments. When victims attempt to withdraw their funds, they are often told to pay additional “fees,” resulting in further financial losses.

"Once the victims' money transferred to a cryptocurrency wallet under the scammers’ control, the crooks quickly routed that money through many other wallets to hide the nature, source, control, and ownership of that stolen money," the department added.

In a related statement, Tether disclosed that it has frozen roughly $4.2 billion in assets tied to unlawful activities so far. The company said that nearly $250 million of that amount has been linked to scam networks since June 2025.

The seizure marks one of the larger enforcement actions targeting cryptocurrency-enabled fraud and reflects ongoing efforts by U.S. authorities to disrupt global cybercrime syndicates exploiting digital assets.

Darktrace Flags Surge in Phishing as Identity-Based Attacks Redefine 2025 Threat Landscape



 

spear-phishing statistics

Cyber Fraud Darktrace phishing report 2025 DMARC bypass phishing identity-based cyberattacks spear-phishing statistics

Darktrace Flags Surge in Phishing as Identity-Based Attacks Redefine 2025 Threat Landscape

More than 32 million high-confidence phishing emails were identified in 2025, signaling a sharp rise in identity-focused cyberattacks, according to new findings from Darktrace.

The cybersecurity firm analyzed incidents across its global customer network, revealing a year marked by growing automation, overlapping attack techniques, and faster execution by threat actors.

Among the total phishing volume, over 8.2 million emails specifically targeted high-profile individuals and executives, representing more than a quarter of all attempts observed. Additionally, 1.6 million phishing messages were traced to newly registered domains, while 1.2 million leveraged malicious QR codes to lure victims.

The report found that 70% of phishing emails bypassed DMARC authentication checks. Spear-phishing accounted for 41% of attacks, and 38% featured new social engineering strategies. Roughly one-third of the phishing emails exceeded 1,000 characters in length, indicating increasingly sophisticated messaging tactics.

Identity Compromise Emerges as Primary Breach Method

The analysis underscores a major shift in cyber intrusion tactics: identity compromise has surpassed vulnerability exploitation as the leading initial access method. Although Common Vulnerabilities and Exposures (CVEs) rose approximately 20% year-over-year, many exploits were deployed even before vulnerabilities were publicly disclosed.

"Identity has become the attacker's skeleton key. Instead of forcing their way through a firewall, adversaries are logging in with stolen credentials, hijacked tokens and abused permissions, then moving laterally under the cover of legitimacy," commented Shane Barney, CISO at Keeper Security.

"When identity controls are fragmented or overly permissive, attackers don't need novel exploits. They just need access that looks routine."

In the Americas, nearly 70% of reported incidents involved SaaS and Microsoft 365 account takeovers. The manufacturing sector accounted for 17% of documented cases and represented 29% of ransomware incidents in the region. Overall, 47% of global security events tracked in 2025 originated from the Americas.

Regional data further illustrates varying levels of digital resilience and geopolitical pressure.

In Latin America, 44% of incidents stemmed from malware spreading after phishing or credential theft. The education sector was most affected, accounting for 18% of cases. Brazil, Mexico, and Colombia recorded the highest activity levels over the past three years. Across Europe, 58% of security incidents were linked to cloud and email compromise, while 42% were tied to network-based attacks. Africa reported a 60% year-over-year spike in ransomware incidents, with 76% of compromises categorized as network-driven.

In Asia-Pacific and Japan, 84% of organizations indicated that AI-driven threats are already affecting them. However, only 42% said they have formal governance policies in place for safe AI usage.

"Identity is no longer about perimeter-based defense. The rise in AI-based agents and the massively accelerating threat landscape has rendered that approach inadequate, and prompted a shift towards identity as the critical element to enterprise security," SailPoint CEO, Mark McClain, said.

"This report's findings demonstrate that there is now a need for real-time, intelligent, and dynamic identity security, built to govern and secure not just 'who,' or in the case of AI agents, 'what,' has access to the enterprise, but what data they can access and what they are able to do once inside."

Indonesia’s Coretax Platform Exploited in $2 Million Fraud Campaign Targeting Taxpayers



 

MMRat trojan

Coretax phishing scam Cyber Fraud Gigabud.RAT GoldFactory malware Group-IB report Indonesia Coretax fraud MMRat trojan

Indonesia’s Coretax Platform Exploited in $2 Million Fraud Campaign Targeting Taxpayers

A highly coordinated cyber fraud campaign targeting Indonesia’s official Coretax tax system has resulted in estimated nationwide losses ranging between $1.5 million and $2 million.

Security firm Group-IB revealed that the scheme first surfaced in July 2025 and escalated sharply in January 2026, coinciding with the country’s peak tax filing season. Cybercriminals posed as the Coretax web portal to deceive users into installing malicious mobile applications.

Although Coretax is accessible strictly through its official website and does not offer a mobile application, attackers used this limitation to their advantage. The fraud operation combined cloned phishing websites, WhatsApp accounts impersonating tax officials, and voice phishing (vishing) calls to create a convincing attack chain.

Victims were instructed to download fraudulent APK files, unknowingly granting attackers remote control of their smartphones. This access enabled unauthorized banking transactions and financial theft.

Investigators traced the campaign to the GoldFactory threat cluster, which utilized several malware variants, including Gigabud.RAT and MMRat. During the probe, Group-IB uncovered 228 previously unidentified malware samples.

The infrastructure supporting the operation was also found to be repurposed to mimic more than 16 reputable brands across sectors such as government services, aviation, pension funds, and energy.

According to the report, approximately 67 million Indonesian taxpayers were considered potential targets. However, among financial institutions secured by Group-IB, the fraud success rate was restricted to 0.027% of infected devices due to advanced predictive detection tools.

Researchers estimated a broader device compromise rate of 0.025% — roughly 2.5 out of every 1,000 banking users. When extrapolated to Indonesia’s population of 287 million individuals exposed to the impersonated brands, the cumulative financial losses and associated operational expenses were calculated between $1.5 million and $2 million.

The investigation further identified 996 phishing URLs generated through a centralized system, pointing to a malware-as-a-service (MaaS) framework with the capacity to scale internationally. Potential expansion targets include Thailand, Vietnam, the Philippines, and South Africa.

The fraud followed a structured, multi-phase approach:

Distribution of phishing links via fake WhatsApp tax representatives
Installation of malicious applications that locked devices and extracted sensitive data
Vishing calls pressuring victims to settle alleged tax dues
Screen recording to capture banking credentials and one-time passwords (OTPs)
Remote account takeover (ATO) and fund transfers through mule accounts

Group-IB noted that a layered security strategy combining signature-based detection, behavioral analytics, and contextual threat intelligence significantly mitigated losses among its clients. By analyzing infrastructure patterns and anticipating brand impersonation trends, the company reported stopping most fraudulent transactions before funds could be withdrawn.

The case underscores the growing sophistication of coordinated malware campaigns and the risks they pose to public confidence in digital government services, particularly when critical platforms like national tax systems are targeted.

Indonesia Hit by $2m Fraud Wave Using Fake ‘Coretax’ Tax Apps



 

Phishing Campaign

Coretax Cyber Fraud Financial Scam Indonesia Phishing Campaign

Indonesia Hit by $2m Fraud Wave Using Fake ‘Coretax’ Tax Apps

A massive fraud campaign abusing Indonesia’s official Coretax tax platform has siphoned off an estimated 1.5–2 million dollars in losses nationwide, highlighting how cybercriminals now weaponize public digital services at industrial scale.

Launched around July 2025 and ramped up ahead of the 2026 tax filing season, the operation preyed on taxpayers who believed they were interacting with legitimate Coretax channels. Although Coretax is only available as a web service, victims were deceived into thinking an official mobile app existed, turning their smartphones into entry points for financial theft. This gap between user perception and the platform’s real distribution model became the core social engineering hook.

According to Group-IB, the attackers built a multi-stage attack chain that blended classic phishing with modern mobile malware techniques. It started with phishing websites that visually mimicked the Coretax portal and other trusted brands, then continued via WhatsApp messages and calls from impostors posing as tax officials. These contacts pushed users to download Android application packages (APKs) masquerading as Coretax tools for filing or synchronizing tax data. Once installed, the malicious apps granted remote access, allowing fraudsters to control infected devices, freeze screens, and intercept sensitive data.

The campaign has been linked to the GoldFactory threat cluster, known for deploying advanced Android remote access trojans such as Gigabud.RAT and MMRat. Investigators uncovered 228 new malware samples tied to the operation, underlining the industrialized nature of the scheme. Beyond Coretax, the same infrastructure impersonated more than 16 reputable brands, including government services, airlines, pension funds, and energy providers, significantly widening the pool of potential victims. This brand-hopping strategy enabled attackers to reuse tooling while constantly refreshing lures.

At its peak, the operation aimed at roughly 67 million Indonesian taxpayers and, more broadly, at 287 million individuals exposed to abused brands across the country. While the overall compromise rate remained relatively low—around 0.025% of users—the scale of the population meant financial losses and associated costs still reached between 1.5 and 2 million dollars. Among financial institutions protected by Group-IB, predictive detection and layered defenses limited successful fraud to just 0.027% of malware-compromised devices. This illustrates how early detection and behavioral analysis can sharply reduce downstream financial impact.

Researchers warn that the operation appears to follow a malware-as-a-service model, supported by a centralized framework that has already generated nearly a thousand phishing URLs. The same toolkit could easily be repurposed against taxpayers and banking customers in other countries, with Thailand, Vietnam, the Philippines, and South Africa cited as likely next targets. For Indonesian users, the key defense is to remember that Coretax does not have a mobile app and is only accessible via official government websites. Verifying domains, refusing APK installations sent over messaging apps, and questioning unsolicited “tax officer” calls are now critical to staying safe during tax season.

Fraudsters Use Postal Mail to Target Crypto Hardware Wallet Owners



 

snail mail

cryptocurrency Cyber Fraud forged letterheads Hardware Wallets Ledger phishing snail mail

Fraudsters Use Postal Mail to Target Crypto Hardware Wallet Owners

Cybercriminals are using traditional mail services to target cryptocurrency users who own hardware wallets manufactured by Trezor and Ledger. The attackers are distributing printed letters that falsely present themselves as official security notifications and attempt to trick recipients into revealing their wallet recovery phrases.

The letters instruct users to complete a compulsory “Authentication Check” or “Transaction Check,” claiming this step will soon become mandatory. Recipients are warned that failure to comply before stated deadlines could result in disrupted wallet functionality. One Trezor-themed letter sets February 15, 2026 as the cutoff date, while a Ledger-branded version references October 15, 2025.

The correspondence appears professionally formatted and claims to originate from internal security or compliance departments. In a case shared publicly by cybersecurity researcher Dmitry Smilyanets, a Trezor-related letter stated that authentication would soon be enforced across devices and urged users to scan a QR code to prevent interruption of Trezor Suite access. The letter further asserted that even if users had already enabled authentication on their device, they must repeat the process to ensure full activation and synchronization of the feature.

The QR codes direct recipients to fraudulent domains including trezor.authentication-check[.]io and ledger.setuptransactioncheck[.]com. At the time of reporting, the Ledger-linked domain was inactive, while the Trezor-related site remained accessible but displayed a phishing warning from Cloudflare.

The Trezor-themed phishing page states that users must complete authentication by February 15, 2026 unless they purchased specific models, including Trezor Safe 7, Safe 5, Safe 3, or Safe 1, after November 30, 2025, in which case the feature is allegedly preconfigured. After selecting “Get Started,” users are warned that ignoring the process could lead to blocked access, transaction signing errors, and complications with future updates.

Those who continue are prompted to enter their wallet recovery phrase. The form accepts 12-, 20-, or 24-word phrases and claims the information is necessary to confirm device ownership. Technical analysis shows that submitted phrases are transmitted through a backend endpoint located at /black/api/send.php on the phishing domain.

With access to the recovery phrase, attackers can restore the wallet on another device and transfer funds.

The method used to identify recipients remains unclear. However, both manufacturers have experienced past data breaches that exposed customer contact information, potentially increasing targeting risks.

Although email-based crypto phishing is common, physical mail scams remain relatively uncommon. In 2021, attackers mailed tampered Ledger devices designed to capture recovery phrases during setup. A similar postal campaign targeting Ledger users was reported again in April.

A recovery phrase, also called a seed phrase, represents the private cryptographic key controlling a cryptocurrency wallet. Anyone who obtains it gains complete control over the associated funds.

Legitimate hardware wallet providers do not request recovery phrases through mail, QR codes, websites, or email. The phrase should only be entered directly on the hardware device during a genuine restoration process.

Dark Web Voice-Phishing Kits Supercharge Social Engineering and Account Takeovers



 

voice phishing kits

Cyber Fraud dark web phishing Identity Fraud MFA Bypass Okta threat intelligence social engineering scams voice phishing kits

Dark Web Voice-Phishing Kits Supercharge Social Engineering and Account Takeovers

Cybercriminals are finding it easier than ever to run convincing social engineering schemes and identity theft operations, driven by the availability of customized voice-phishing (vishing) kits sold on dark web forums and private messaging channels.

According to a recent Okta Threat Intelligence blog published on Thursday, these phishing kits are being marketed as a service to “a growing number” of threat actors aiming to compromise Google, Microsoft, and Okta user accounts. Beyond fake login pages, the kits also provide real-time support that helps attackers capture login credentials and multi-factor authentication (MFA) codes while victims are actively being manipulated.

“There are at least two kits that implement the novel functionality observed,” Okta Threat Intelligence Vice President Brett Winterford told The Register.

“The phishing kits have been developed to closely mimic the authentication flows of identity providers and other identity systems used by organizations,” he said. “The kits allow the attacker to monitor the phishing page as the targeted user is interacting with it and trigger different custom pages that the target sees. This creates a more compelling pretext for asking the user to share credentials and accept multi-factor authentication challenges.”

Winterford noted that this form of attack has “evolved significantly since late 2025.” Some advertisements promoting these kits even seek to hire native English-speaking callers to make the scams more believable.

“These callers pretend to be from an organization's helpdesk and approach targets using the pretext of resolving a support ticket or performing a mandatory technical update,” Winterford said.

Similar tactics were observed last year when Scattered Spider-style IT support scams enabled attackers to breach dozens of Salesforce environments, resulting in mass data theft and extortion campaigns.

The attacks typically begin with reconnaissance. Threat actors collect details such as employee names, commonly used applications, and IT support contact numbers. This information is often sourced from company websites, LinkedIn profiles, and other publicly accessible platforms. Using chatbots to automate this research further accelerates the process.

Once prepared, attackers deploy the phishing kit to generate a convincing replica of a legitimate login page. Victims are contacted via spoofed company or helpdesk phone numbers and persuaded to visit the fraudulent site under the guise of IT assistance. “The attacks vary from there, depending on the attacker's motivation and their interactions with the user,” Winterford said.

When victims submit their login credentials, the data is instantly relayed to the attacker—often through a Telegram channel—granting access to the real service. While the victim remains on the call, the attacker attempts to log in and observes which MFA methods are triggered, modifying the phishing page in real time to match the experience.

Attackers then instruct victims to approve push notifications, enter one-time passcodes, or complete other MFA challenges. Because the fake site mirrors these requests, the deception becomes harder to detect.

“If presented a push notification (type of MFA challenge), for example, an attacker can verbally tell the user to expect a push notification, and select an option from their [command-and-control] panel that directs their target's browser to a new page that displays a message implying that a push message has been sent, lending plausibility to what would ordinarily be a suspicious request for the user to accept a challenge the user didn't initiate,” the report says.

Okta also warned that these kits can defeat number-matching MFA prompts by simply instructing users which number to enter, effectively neutralizing an added layer of security.

Once MFA is bypassed, attackers gain full control of the compromised account.

This research aligns with The Register’s previous reporting on “impersonation-as-a-service,” where cybercriminals bundle social engineering tools into subscription-based offerings.

“As a bad actor you can subscribe to get tools, training, coaching, scripts, exploits, everything in a box to go out and conduct your infiltration operation that often combine[s] these social engineering attacks with targeted ransomware, almost always with a financial motive,” security firm Nametag CEO Aaron Painter said in an earlier interview.

UAE Banks Ditch SMS OTPs for Biometric App Authentication



 

User Privacy

Biometric Authentication Cyber Fraud OTP Scam UAE Banks User Privacy

UAE Banks Ditch SMS OTPs for Biometric App Authentication

UAE banks have discontinued SMS-based one-time passwords (OTPs) for online transactions from January 6, 2026, moving customers to app-based and biometric authentication as part of a wider security overhaul led by the Central Bank of the UAE. This marks a significant shift in how digital payments are approved, aiming to curb SIM-swap and phishing-related fraud while streamlining user experience for cardholders across the country.

Since January 6, customers making online card payments are no longer receiving OTP codes via SMS or email to complete their purchases. Instead, banks will push transaction-approval requests directly to their official mobile applications, where users must confirm the payment using in-app prompts.Major UAE lenders, including names like Emirates NBD and others, have started sending alerts to customers, warning that online payments may fail if the banking app is not installed and activated before the deadline.

Role of biometrics and app authentication

The new model relies heavily on biometric verification such as fingerprint and facial recognition, along with secure app PINs or Smart Pass-style codes built into mobile banking platforms. When a customer attempts an online transaction, a notification appears inside the bank’s app, and the user authorises it with their registered biometric data or a secure PIN rather than typing in a texted code.Banks and regulators describe this as “strong customer authentication,” aligning local practices with international standards similar to Europe’s PSD2 framework for secure digital payments.

Authorities and banks point to rising fraud that targets SMS OTPs, especially SIM-swap scams, phishing schemes and interception of text messages over insecure channels. By tying approvals to registered devices and biometrics inside the banking app, the sector aims to sharply reduce the chance that criminals can hijack authentication codes and authorise fraudulent payments in a victim’s name. The Central Bank’s notice (2025/3057) set March 2026 as the outer deadline to phase out SMS and email OTPs entirely, but most major banks accelerated implementation after seeing a spike in such fraud cases last year.

Impact on customers and preparations

Customers are being urged to update their bank apps to the latest version, register biometrics where available, and enable push notifications so they do not miss approval requests during online shopping or money transfers.Those who do not complete these steps risk declined payments or delays, particularly for e-commerce and international transactions that now depend entirely on in-app verification rather than text messages. Employers and community groups in the UAE have been encouraged to educate less tech-savvy users, including blue-collar workers who rely on digital wallets and remittances, to avoid disruption during the transition period.

The move positions the UAE as one of the early markets to rely almost exclusively on biometric and app-based approvals for everyday retail payments, ahead of many more mature banking jurisdictions. Industry analysts see this shift as part of a broader digital transformation strategy in the country’s financial sector, combining enhanced security with faster, more convenient user journeys for online transactions.For customers, the change may require short-term adaptation, but it is expected to deliver stronger protection and a smoother checkout flow once app-based and biometric authentication becomes routine.

Government Flags WhatsApp Account Bans as Indian Number Misuse Raises Cyber Fraud Concerns



 

Mobile Numbers

account protection Cyber Fraud Cyber Frauds CyberCrime Data Safety User Data Indian Government Mobile Numbers

Government Flags WhatsApp Account Bans as Indian Number Misuse Raises Cyber Fraud Concerns

The Indian government has expressed concern over WhatsApp banning an average of nearly 9.8 million Indian accounts every month until October, amid fears that Indian mobile numbers are being widely misused for scams and cybercrime. Officials familiar with the discussions said the government is engaging with the Meta-owned messaging platform to understand how such large-scale misuse can be prevented and how enforcement efforts can be strengthened.

Authorities believe WhatsApp’s current approach of not sharing details of the mobile numbers linked to banned accounts is limiting the government’s ability to track spam, impersonation, and cyber fraud. While WhatsApp publishes monthly compliance reports disclosing the number of accounts it removes for policy violations, officials said the lack of information about the specific numbers involved reduces transparency and weakens enforcement efforts.

India is WhatsApp’s largest market, and the platform identifies Indian accounts through the +91 country code. Government officials noted that in several cases, numbers banned on WhatsApp later reappear on other messaging platforms such as Telegram, where they continue to be used for fraudulent activities. The misuse of Indian phone numbers by scammers operating both within and outside the country remains a persistent issue, despite multiple measures taken to combat digital fraud.

According to officials, over-the-top messaging platforms are frequently used for scams because once an account is registered using a mobile number, it can function without an active SIM card. This makes it extremely difficult for law enforcement agencies to trace perpetrators. Authorities estimate that nearly 95% of cases involving digital arrest scams and impersonation fraud currently originate on WhatsApp.

Government representatives said identifying when a SIM card was issued and verifying the authenticity of its know-your-customer details are critical steps in tackling such crimes. Discussions are ongoing with WhatsApp and other OTT platforms to find mechanisms that balance user privacy with national security and fraud prevention.

The government also issues direct requests to platforms to disable accounts linked to illegal activities. Data from the Department of Telecommunications shows that by November this year, around 2.9 million WhatsApp profiles and groups were disengaged following government directives. However, officials pointed out that while these removals are documented, there is little clarity around accounts banned independently by WhatsApp.

Former Ministry of Electronics and IT official Rakesh Maheshwari said the purpose of monthly compliance reports was to improve platform accountability. He added that if emerging patterns raise security concerns, authorities are justified in seeking additional information.

WhatsApp has maintained that due to end-to-end encryption, its enforcement actions rely on behavioural indicators rather than message content. The company has also stated that sharing detailed account data involves complex legal and cross-border challenges. However, government officials argue that limited disclosure, even at the level of mobile numbers, poses a security risk when large-scale fraud is involved.

Hackers Hijack WhatsApp Accounts Using ‘GhostPairing’ Scam Without Breaking Encryption



 

WhatsApp security alert

Cyber Fraud device pairing scam GhostPairing scam WhatsApp account hijack WhatsApp hacking WhatsApp security alert

Hackers Hijack WhatsApp Accounts Using ‘GhostPairing’ Scam Without Breaking Encryption

Cybersecurity experts have issued a warning after discovering a new method that allows hackers to take over WhatsApp accounts without compromising the app’s end-to-end encryption.

The attack, known as the GhostPairing scam, exploits WhatsApp’s legitimate device-linking feature. By manipulating users into unknowingly connecting their account to a device controlled by cybercriminals, attackers gain live access to private chats, images, videos, and voice messages. Once an account is compromised, hackers can impersonate the victim and message their contacts, enabling the scam to spread further.

The process begins when a target receives a message that appears to be sent by someone they trust. The message includes a link, often claiming to display a photo of the recipient. Clicking the link redirects the user to a fake Facebook login page that asks for their phone number.

Instead of displaying any image, the page triggers WhatsApp’s device-pairing process by showing a code and instructing the victim to enter it into the app. By doing so, the user unknowingly authorises an unfamiliar device to link with their account. This gives attackers full access without the need for passwords or additional verification.

The scam was identified by researchers at cybersecurity company Avast, who say it is particularly dangerous due to its ability to spread rapidly in a chain-like manner.

“This campaign highlights a growing shift in cybercrime: breaching people's trust is as important as breaching their security systems,” Luis Corrons, a Security Evangelist at Avast, told The Independent.

“Scammers are persuading people to approve access themselves by abusing familiar mechanisms like QR codes, pairing prompts, and ‘verify on your phone’ screens that feel routine.

“Scams like GhostPairing turn trust into a tool for abuse. This isn’t just a WhatsApp issue. It’s a warning sign for any platform that relies on fast, low-visibility device pairing.”

In a blog post explaining the scam, Avast cautioned that many victims may not even realise their accounts have been hijacked. WhatsApp users can review connected devices by opening Settings and tapping Linked Devices. Any unfamiliar device should be removed immediately.

“At Avast, we see this as a turning point in how we think about authentication and user intent,” Mr Corrons said.

“As attacks grow more manipulative, security must account not just for what users are doing intentionally, but also what they’re being tricked into doing. GhostPairing shows that when trust becomes automatic, it becomes exploitable."

South Africa Warns of Cybercrime Surge Amid Festive Season



 

South Africa

Cyber Fraud Festive Scams Online fraud ransomware attacks South Africa

South Africa Warns of Cybercrime Surge Amid Festive Season

South Africa is experiencing a sudden and deeply concerning rise in cybercrime this holiday season, with consumers and businesses being warned to prepare for more aggressive attacks on digital banking, mobile applications and online services.

Surge in festive-season attacks

The law firm Cox Yeats has witnessed a significant rise in cyberattacks themed around online shopping and digital payments, criminals are leveraging fake online shops, phishing emails, malicious QR codes and AI-powered impersonation scams to trick people into handing over credentials and payment data. They are encouraged to confirm any communications, transact only in official channels, avoid public Wi‑Fi when conducting transactions and use VPNs or mobile data, and report any suspicious activity as soon as possible.

The Information Regulator logged a total of 2 374 data breach cases that were officially reported for the 2024/25 period, averaging at a high of 200 incidents a month and increasing to about 300 monthly notifications in the current financial year—a 40% increase in security breaches. No organization is immune, as recent attacks have compromised government agencies, healthcare providers, financial institutions, retailers and telecommunication providers in ransomware, data theft and extortion.

Financial and human cost

The economic impact is devastating, with the median cost of a data breach to a local business now hovering near R49 million, a sum that can lay waste to even the most well-run small or medium-sized business. South African consumers lost more than R1 billion in 2023 alone through digital banking and mobile app scams, while SABRIC reckons annual losses to cyber-attacks could be as high as R3.3 billion, accompanied by 45% rise in digital banking fraud and a 47% increase in such related financial losses.

Surveys cited by Mpahlwa show that 70% of South African consumers have fallen victim to cybercrime, compared with 50% globally, with 35% admitting to losing money in scams and 32% acknowledging that they clicked on phishing emails. The emotional strain is mounting too, with 58% of people expressing deep concern about becoming victims, a trend worsened by AI tools that make it easier for criminals to convincingly impersonate brands, colleagues and even family members.

As ransomware continues to be a highly disruptive threat, with South Africa being the second most targeted country in Africa and third globally for cyberattacks, including double extortion attacks in which stolen data is threatened with being released to the public. Organisations are being advised to harden defences and have strong cyber insurance that covers loss of money, liability, business interruption, incidents relating to ransomware, breaches involving data, and the potential for fines from regulators as the threat landscape rapidly shifts.

Holiday Scams Surge: How to Protect Yourself This Season



 

Scam Prevention

Cyber Fraud Fraud Alerts Holiday Scams Online Safety Scam Prevention

Holiday Scams Surge: How to Protect Yourself This Season

Scammers intensify their efforts during the holiday season, exploiting the rush, stress, and increased spending that characterize this time of year. The Federal Bureau of Investigation warns that fraud schemes spike significantly as criminals deploy sophisticated tactics—including AI-generated offers and phony delivery notifications—to steal money and personal information from unsuspecting victims.

The holiday period creates perfect conditions for fraudsters. People are distracted by family obligations, travel plans, and shopping deadlines, making them less likely to scrutinize suspicious messages or verify deals that appear too good to be true. With money flowing through shopping, travel bookings, and gift exchanges, scammers have numerous opportunities to exploit vulnerable targets.

Common holiday scams

Fake online shopping sites represent one of the most prevalent threats. These professional-looking storefronts advertise steep holiday discounts but disappear after collecting payments without delivering products. Consumers should navigate directly to trusted retailer websites rather than clicking promotional links and use credit cards for easier fraud disputes.

Phishing and smishing attacks flood inboxes with messages impersonating delivery services, claiming shipping problems or requesting order confirmations. These messages aim to harvest login credentials and financial details. Recipients should avoid clicking links in unexpected messages and instead manually type company URLs into browsers to verify account status.

Gift card scams involve tampering with physical cards to drain balances after activation or pressuring victims to pay with gift cards instead of standard methods. Purchasing cards directly from secure locations and retaining receipts provides protection against these schemes.Bogus charity operations emerge during the holidays, exploiting generosity through emotional donation requests. Donors should verify organizations using platforms like Charity Navigator before contributing funds.

Travel scams target holiday travelers with fake airline, hotel, or rental confirmations designed to collect money and personal information. Booking directly through official company channels and confirming reservations via verified apps prevents these frauds.Imposter scams feature criminals posing as customer service representatives on social media to extract sensitive data.

Users should only engage with verified business accounts and never share personal details through direct messages.Non-delivery scams occur when buyers pay for goods they never receive or sellers ship items without receiving payment. Using platforms with buyer and seller protections minimizes these risks.

Protection strategies

Awareness and simple habits provide effective defense. Slowing down before clicking links, verifying sellers through reviews, and favoring credit cards over peer-to-peer payment apps significantly reduce risk. When urgency triggers suspicion, pausing to verify information can prevent costly mistakes and protect finances throughout the holiday season

GhostPairing Attack Puts Millions of WhatsApp Users at Risk



 

WhatsApp Security

Account Takeover browser hijacking Cyber Fraud Device Pairing End-to-End Encryption Identity Threats QR Phishing Social Engineering WhatsApp Security

GhostPairing Attack Puts Millions of WhatsApp Users at Risk

An ongoing campaign that aims to seize control of WhatsApp accounts by manipulating WhatsApp's own multi-device architecture has been revealed by cybersecurity experts in the wake of an ongoing, highly targeted attack designed to illustrate the increasing complexity of digital identity threats.

Known as GhostPairing, the attack exploits the trust inherent in WhatsApp's system for pairing devices - a feature that allows WhatsApp Web users to send encrypted messages across laptops, mobile phones, and browsers by using the WhatsApp Web client.

Through a covert means of guiding victims into completing a legitimate pairing process, malicious actors are able to link an attacker-controlled browser as a hidden companion device to the target account, without alerting the user or sending him/her any device notifications at all.

The end-to-end encryption and frictionless cross-platform synchronization capabilities of WhatsApp remain among the most impressive in the industry, but investigators warn that these very strengths of the service have been used to subvert the security model, which has enabled adversaries to have persistent access to messages, media, and account controls.

Although the encryption remains intact in such a scenario technically, it will be strategically nullified if the authentication layer is compromised, allowing attackers to read and reply to conversations from within their own account. This effectively converts a feature that was designed to protect your privacy into an entry point for silent account takeovers, effectively converting a privacy-first feature into a security-centric attack.

Analysts have characterized GhostPairing as a methodical account takeover strategy that relies on WhatsApp’s legitimate infrastructure of device linkage as a means of obtaining access to accounts instead of compromising WhatsApp’s security through conventional methods of authentication. In this technique, users are manipulated socially so that they link an external device, under the false impression that they are completing a verification process.

As a general rule, an attack takes place through messages appearing to come from trusted contacts, often compromised accounts, and containing links disguised as photos, documents, or videos. Once accessed by victims, these links lead them to fake websites meticulously modeled after popular social media platforms such as Facebook and WhatsApp, where allegedly the victim will be asked to enter his or her phone number as part of an authentication process.

Moreover, the pages are designed to generate QR codes that are used to verify customer support, comply with regulations regarding KYC, process job applications, update KYC records, register promotional events, or recover account information. By scanning QR codes that mirror the format used by WhatsApp Web, users unintentionally link their accounts to those of attackers, not realizing they are scanning QR codes that are actually the same format used by WhatsApp Web.

It is important to know that once the connection is paired, it runs quietly in the background, and the account owner does not receive an explicit login approval or security alert. Although WhatsApp’s encryption remains technically intact, the compromise at the device-pairing layer allows threat actors to access private communications in a way that effectively sidesteps encryption by allowing them to enter authenticated sessions from within their own account environment, even though WhatsApp’s encryption has remained unbroken technologically.

The cybercriminals will then be able to retrieve historical chat data, track incoming messages in real time, view and transmit shared media — including images, videos, documents, and voice notes — and send messages while impersonating the legitimate account holder in order to take over the account. Additionally, compromised accounts are being repurposed as propagation channels for a broader range of targets, further enlarging the campaign's reach and scale.

The intrusion does not affect normal app behavior or cause system instability, so victims are frequently unaware of unauthorized access for prolonged periods of time, which allows attackers to maintain persistent surveillance without detection for quite a while.

The campaign was initially traced to users in the Czech Republic, but subsequent analysis has shown that the campaign's reach is much larger than one specific country. During their investigation, researchers discovered that threat actors have been using reusable phishing kits capable of rapid replication, which allows operations to scale simultaneously across countries, languages, and communication patterns.

A victim's contact list is already populated with compromised or impersonated accounts, providing an additional layer of misplaced trust to the outreach, which is what initiates the attack chain. In many of these messages, the sender claims that they have found a photograph and invites their recipients to take a look at it through a link intentionally designed to look like the preview or media viewer for Facebook content.

As soon as the link is accessed, users are taken to a fake, Facebook-branded verification page that requires them to authenticate their identity before they can view the supposed content. The deliberate mimicry of familiar interfaces plays a central role in lowering suspicions, thereby encouraging victims to complete verification steps with little hesitation, according to security analysts.

A study published by Gen Digital's threat intelligence division indicates that the campaign is not relying on malware deployments or credential interceptions to execute. This malware manipulates WhatsApp's legitimate device-pairing system instead.

As a consequence of the manipulation, WhatsApp allows users to link browsers and desktop applications together for the purpose of synchronizing messaging. Attackers can easily bind an unauthorized browser to an account by convincing the users to voluntarily approve the connection. In other words, they are able to bypass encryption by entering through a door of authentication that they themselves unknowingly open, rather than breaking it.

It has become increasingly apparent that threat actors are moving away from breaking encryption towards undermining the mechanisms governing access to it, as evidenced by GhostPairing. As part of this attack, people are using WhatsApp's unique feature: frictionless onboarding and the ability to link their devices to their account with just a phone number in order to extend your account to as many devices as they like.

The simplicity of WhatsApp, often cited as a cornerstone of the company's global success, means that users don't have to enter usernames or passwords, reinforcing convenience, but inadvertently exposing more vulnerabilities to malicious use. WhatsApp's end-to-end encryption architecture further complicates things, since it provides every user with their own private key.

Private cryptographic keys that are used to securely encrypt the content of the messages are stored only on the user's device, which theoretically should prevent eavesdropping unless an attacker is able to physically acquire the device or deploy malware to compromise it remotely if it can be accessed remotely.

By embedding an attacker's device within an authenticated session, GhostPairing demonstrates that a social engineering attack can circumvent encryption without decrypting the data, but by embedding an attacker's device within a session in which encrypted content is already rendered readable, thus circumventing the encryption.

Researchers have found that the technique is comparatively less scalable on platforms such as Signal, which supports only QR-based approvals for pairing devices, and this limitation has been noted to offer some protection against similar thematically driven device linking techniques.

The analysts emphasize from a defensive standpoint that WhatsApp provides users with an option to see what devices are linked to them through their account settings section titled Linked Devices. In this section, unauthorized connections can, in principle, be identified, as well. The attackers may be able to establish silent persistence through fraudulently linking devices, but they cannot remove or revoke their device access themselves, since the primary registered device remains in charge of revocation.

The addition of two-step PIN verification as a mitigation, which prevents attackers from making changes to an account's primary email address, adds additional hurdles for attackers. However, this control does not hinder access to messages once pairing has been completed. Especially acute consequences exist for organizations.

A common way for employees to communicate is via WhatsApp, which can sometimes lead to informal group discussions involving multiple members - many of which are conducted outside of formal documentation and oversight. It has been recommended by security teams to assume the existence of these shadow communication clusters, rather than treat them as exceptions, but as a default risk category.

A number of industry guidelines (including those that have prevailed for the past five years) emphasize the importance of continued user awareness, and in particular that users should be trained in identifying phishing attempts, unsolicited spam, and the like, even if the attempt seems to come from well-known contacts or plausible verification attempts.

The timing of the attack is difficult to determine when viewed from a broader perspective, but there are no signs that there is any relief. According to a report published by Meta in April of this year, millions of WhatsApp users had their mobile numbers exposed, and Meta confirmed earlier this year that the Windows desktop application had security vulnerabilities.

In parallel investigations, compromised Signal-based messaging tools have also been found to have been compromised by political figures and senior officials, confirming that cross-platform messaging ecosystems, regardless of whether or not they use encryption strength, are now experiencing identity-layer vulnerabilities that must be addressed with the same urgency as network or malware attacks have been traditionally addressed.

The GhostPairing campaign signals a nuanced, yet significant change in techniques for gaining access to accounts, which reflects a longer-term trend in which attackers attempt to gain access to identities through behavioral influence rather than technical subversion.

Threat actors exploit WhatsApp's ability to link devices exactly as it was intended to work, whereas they decrypt the secure communication or override authentication safeguards in a way that seems to be more effective.

They engineer moments of cooperation through the use of persuasive, familiar-looking interfaces. A sophisticated attack can be carried out by embedding fraudulent prompts within convincingly branded verification flows, which allows attackers to secure enduring access to victim accounts with very little technical skill, relying on legitimacy by design instead of compromising the systems.

There is a warning from security researchers that this approach goes beyond regional boundaries, as scalable phishing kits and interface mimicry enable multiple countries to deploy it across multiple languages.

A similar attack can be attempted on any digital service that allows set-up via QR codes or numeric confirmation steps, irrespective of whether the system is built on a dedicated platform or not. This has an inherent vulnerability to similar attacks, especially when human trust is regarded as the primary open-source software vulnerability.

Analysts have emphasized that the attack's effectiveness stems from the convergence of social engineering precision with permissive multi-device frameworks, so that it allows adversaries to penetrate encrypted environments without any need to break the encryption at all — and to get to a session in which all messages have already been decrypted for the authenticated user.

It is encouraging to note that the defensive measures necessary to combat such threats are still relatively straightforward. The success rate of such deception-driven compromises could be significantly reduced if regular device hygiene audits, greater user awareness, and modest platform refinements such as clearer pairing alerts and tighter device verification constraints were implemented.

Especially for organizations that are exposed to undocumented employee group chats that operate outside the formal oversight of the organization are of crucial importance for reducing risk. User education and internal reporting mechanisms are crucial components of mitigating risks.

Amidst the rapid increase in digital interactions, defenders are being urged to treat vigilance in the process not as an add-on practice, but rather as a foundational layer of account security for the future. GhostPairing's recent appearance serves to serve as a reminder that the security of modern communication platforms is no longer solely defined by encryption standards, rather by the resilience of the systems that govern access to them, and that the security of these systems must be maintained at all times.

It is evident that as messaging ecosystems continue to grow and integrate themselves into everyday interactions — such as sharing personal media or coordinating workplace activities — the balance between convenience and control demands renewed scrutiny.

It is strongly advised for users to follow regular digital safety practices, such as verifying unexpected links even if they are sent by familiar contacts, regularly auditing linked devices, and activating two-factor safeguards, such as two-step PIN verification, to ensure that their data is secure.

As organizations become increasingly aware of threats beyond the perimeter of their organizations, they should cultivate a culture of internal threat reporting that ensures that unofficial communication groups are acknowledged in risk models rather than ignored.

Security teams are advised to conduct phishing awareness drills, make device-pairing alerts more clear at the platform level, and conduct periodic access hygiene reviews of widely used communication channels, such as encrypted messengers, for a number of reasons.

With the incidence of identity-layer attacks on the rise, researchers emphasize that informed users remain the best countermeasure against silent account compromise - making awareness the best strategic strategy in the fight against silent account compromises, not only as a reactive habit, but as a long-term advantage.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

Report Abuse

About Me

Footer About

Labels

Showing result(s) for

Popular Posts

Pages

Deepfake Fraud Expands as Synthetic Media Targets Online Identity Verification Systems

The Global Cyber Fraud Wave Is Being Supercharged by Artificial Intelligence

Meta Targets 150K Accounts in Southeast Asia Scam Operation

Phishing Campaign Abuses .arpa Domain and IPv6 Tunnels to Evade Enterprise Security Defenses

U.S. Justice Department Seizes $61 Million in Tether Linked to ‘Pig Butchering’ Crypto Scams

Darktrace Flags Surge in Phishing as Identity-Based Attacks Redefine 2025 Threat Landscape

Indonesia’s Coretax Platform Exploited in $2 Million Fraud Campaign Targeting Taxpayers

Indonesia Hit by $2m Fraud Wave Using Fake ‘Coretax’ Tax Apps

Fraudsters Use Postal Mail to Target Crypto Hardware Wallet Owners

Dark Web Voice-Phishing Kits Supercharge Social Engineering and Account Takeovers

UAE Banks Ditch SMS OTPs for Biometric App Authentication

Government Flags WhatsApp Account Bans as Indian Number Misuse Raises Cyber Fraud Concerns

Hackers Hijack WhatsApp Accounts Using ‘GhostPairing’ Scam Without Breaking Encryption

South Africa Warns of Cybercrime Surge Amid Festive Season

Holiday Scams Surge: How to Protect Yourself This Season

GhostPairing Attack Puts Millions of WhatsApp Users at Risk

Footer About

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

About Me

Footer About

Labels

Showing result(s) for

Popular Posts

Pages

Menu Item