Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Fraud. Show all posts
UK tax fraud
£47m HMRC loss Cyber Fraud cybercrime HMRC HMRC account lockdown HMRC phishing scam HMRC scam investigation identity theft UK PAYE accounts breach tax refund scam UK tax fraud

Phishing Scam Hits HMRC: £47M Lost, 100,000 Tax Accounts Affected—Officials Confirm No Loss to Individuals

 

HM Revenue and Customs (HMRC) has reported a loss of £47 million following a large-scale phishing scam that compromised approximately 100,000 individual tax accounts, members of Parliament were informed on Wednesday.

Senior HMRC officials appeared before the Treasury Committee, revealing that tens of thousands of people have either been notified or are in the process of being contacted after their accounts were suspended in response to the security breach. The attack, described as a case of "organised crime," began in 2023.

John-Paul Marks, HMRC’s chief executive, assured the committee that “It’s about 0.2% of the PAYE population, around 100,000 people, who we have written to, are writing to, to notify them that we detected activity on their PAYE account.”

He clarified that individual taxpayers—not businesses—were targeted, but “no financial loss to those individuals” has occurred.

Marks explained that the attackers used personal information acquired through phishing attempts outside of HMRC’s infrastructure. “This was organised crime phishing for identity data outwith of HMRC systems, so stuff that banks and others will also unfortunately experience, and then trying to use that data to create PAYE accounts to pay themselves a repayment and/or access an existing account,” he said.

The phishing campaign, which reached across international jurisdictions, has already led to several arrests, according to Marks.

Angela MacDonald, deputy chief executive and second permanent secretary at HMRC, disclosed that “at the moment, they’ve managed to extract repayments to the tune of £47m. Now that is a lot of money, and it’s very unacceptable.” However, she also emphasized HMRC’s broader protective measures, stating: “We have overall, in the last tax year, we actually protected £1.9bn worth of money which sought to be taken from us by attacks.”

MacDonald was firm in stating that the incident does not classify as a cyberattack: “We have not been hacked, we have not had data extracted from us.” She clarified that while this breach involved fraudulent use of external identity data, there was no infiltration of HMRC systems. “The ability for somebody to breach your systems and to extract data, to hold you to ransomware and all of those things, that is a cyber-attack. That is not what has happened here.”

HMRC has since taken corrective measures by locking affected accounts, deleting login credentials, and rectifying any inaccuracies in taxpayers’ records. Impacted individuals will receive official communication within three weeks.

Meanwhile, Marks noted that an unrelated outage had affected HMRC’s phone lines on Wednesday afternoon, but said this was purely “coincidental” and services would resume on Thursday.

An HMRC spokesperson reiterated the agency’s stance: “We’ve acted to protect customers after identifying attempts to access a very small minority of tax accounts, and we’re working with other law enforcement agencies both in the UK and overseas to bring those responsible to justice. This was not a cyber-attack – it involved criminals using personal information from phishing activity or data obtained elsewhere to try to claim money from HMRC. We’re writing to those customers affected to reassure them we’ve secured their accounts and that they haven’t lost any money.”

This revelation follows recent warnings to UK banks and payment providers to enhance anti-fraud systems amid a surge in international scam-related money transfers. New data indicates that 11% of 2024’s authorised push payment scam losses originated from cross-border transactions—nearly double that of 2023.
Read more »
Malware Attack
Cyber Fraud Cyber Scams cybercriminals data security Financial Fraud Hacking WhatsApp Malicious Code Malware Attack

WhatsApp Image Scam Uses Steganography to Steal User Data and Money

 

With over three billion users globally, including around 500 million in India, WhatsApp has become one of the most widely used communication platforms. While this immense popularity makes it convenient for users to stay connected, it also provides fertile ground for cybercriminals to launch increasingly sophisticated scams. 

A recent alarming trend involves the use of steganography—a technique for hiding malicious code inside images—enabling attackers to compromise user devices and steal sensitive data. A case from Jabalpur, Madhya Pradesh, brought this threat into the spotlight. A 28-year-old man reportedly lost close to ₹2 lakh after downloading a seemingly harmless image received via WhatsApp. The image, however, was embedded with malware that secretly installed itself on his phone. 

This new approach is particularly concerning because the file looked completely normal and harmless to the user. Unlike traditional scams involving suspicious links or messages, this method exploits a far subtler form of cyberattack. Steganography is the practice of embedding hidden information inside media files such as images, videos, or audio. In this scam, cybercriminals embed malicious code into the least significant bits of image data or in the file’s metadata—areas that do not impact the visible quality of the image but can carry executable instructions. These altered files are then distributed via WhatsApp, often as forwarded messages. 

When a recipient downloads or opens the file, the embedded malware activates and begins to infiltrate the device. Once installed, the malware can harvest a wide range of personal data. It may extract saved passwords, intercept one-time passwords, and even facilitate unauthorized financial transactions. What makes this form of attack more dangerous than typical phishing attempts is its stealth. Because the malware is hidden within legitimate-looking files, it often bypasses detection by standard antivirus software, especially those designed for consumer use. Detecting and analyzing such threats typically requires specialized forensic tools and advanced behavioral monitoring. 

In the Jabalpur case, after downloading the infected image, the malware gained control over the victim’s device, accessed his banking credentials, and enabled unauthorized fund transfers. Experts warn that this method could be replicated on a much larger scale, especially if users remain unaware of the risks posed by media files. 

As platforms like WhatsApp continue working to enhance security, users must remain cautious and avoid downloading media from unfamiliar sources. In today’s digital age, even an innocent-looking image can become a tool for cyber theft.
Read more »
User Security
Bribery Cyber Fraud Cypto Exchange Social Engineering Attack User Security

Coinbase Offers $20m Bounty to Take Down Perpetrators Behind Social Engineering Attack

 

Coinbase, a renowned cryptocurrency exchange, is offering a $20 million prize to anyone who can assist identify and bring down the culprits of a recent cyber-attack, rather than fulfilling their ransom demands. 

On May 15, Coinbase said that attackers bribed and recruited a group of rogue offshore support agents to steal client data and carry out social engineering attacks. The attackers intended to exploit the stolen data to imitate Coinbase and trick users into turning up their cryptocurrency holdings.

The US crypto firm was asked to pay a $20 million ransom to end the scam. However, Coinbase has openly refused to pay the ransom. Instead, it is collaborating with law enforcement and security sector experts to track down the stolen assets and hold those behind the scheme accountable. 

Coinbase introduced the 'Bounty' program, which includes the $20 million reward fund. The funds will be awarded to anyone who can offer information that leads to the arrest and conviction of the culprits responsible for the attack. 

Establishing safety protocols

Coinbase acted quickly against the insider offenders, firing them and reporting them to US and international law authorities. The crypto exchange will compensate consumers who were duped into sending funds to the perpetrators as a result of social engineering work. 

Furthermore, the crypto exchange suggested that it was putting in place additional measures, such as requesting extra ID checks for substantial withdrawals from flagged accounts and showing mandatory scam-awareness messages. 

The company is also expanding its support operations by establishing a new help hub in the United States and tightening security controls and monitoring across all sites. It is also strengthening its defences by investing more in insider threat detection and automated response, as well as replicating similar security risks to discover potential flaws. 

Coinbase is also working with law enforcement and the private sector to identify the attackers' addresses, allowing authorities to track down and perhaps recover the stolen assets. Finally, Coinbase wants to file criminal charges against those who carried out the cyberattack.
Read more »
Pop-ups
Call Center Call Center Scam CBI Cyber Fraud Cyber Scam Fake Calls Fake IT Support Financial Fraud Japan Pop-ups

CBI Uncovers Tech Support Scam Targeting Japanese Nationals in Multi-State Operation

 

The Central Bureau of Investigation (CBI) has uncovered a major international scam targeting Japanese citizens through fake tech support schemes. As part of its nationwide anti-cybercrime initiative, Operation Chakra V, the CBI arrested six individuals and shut down two fraudulent call centres operating across Delhi, Haryana, and Uttar Pradesh. 

According to officials, the suspects posed as representatives from Microsoft and Apple to deceive victims into believing their electronic devices were compromised. These cybercriminals manipulated their targets—mainly Japanese nationals—into transferring over ₹1.2 crore (approximately 20.3 million Japanese Yen) under the pretense of resolving non-existent technical issues. 

The investigation, carried out in collaboration with Japan’s National Police Agency and Microsoft, played a key role in tracing the culprits and dismantling their infrastructure. The CBI emphasized that international cooperation was vital in identifying the criminal network and its operations. 

Among those arrested were Ashu Singh from Delhi, Kapil Ghakhar from Panipat, Rohit Maurya from Ayodhya, and three Varanasi residents—Shubham Jaiswal, Vivek Raj, and Adarsh Kumar. These individuals operated two fake customer support centres that mirrored legitimate ones in appearance but were in fact used to run scams. 

The fraud typically began when victims received pop-up messages on their computers claiming a security threat. They were prompted to call a number, which connected them to scammers based in India pretending to be technical support staff. Once in contact, the scammers gained remote access to the victims’ systems, stole sensitive information, and urged them to make payments through bank transfers or by purchasing gift cards. In one severe case, a resident of Hyogo Prefecture lost over JPY 20 million after the attackers converted stolen funds into cryptocurrency. 

Language discrepancies during calls, such as awkward Japanese and audible Hindi in the background, helped authorities trace the origin of the calls. Investigators identified Manmeet Singh Basra of RK Puram and Jiten Harchand of Chhatarpur Enclave as key figures responsible for managing lead generation, financial transfers, and the technical setup behind the fraud. Harchand has reportedly operated numerous Skype accounts used in the scam. 

Between July and December 2024, the operation used 94 malicious Japanese-language URLs, traced to Indian IP addresses, to lure victims with fake alerts. The scheme relied heavily on social engineering tactics and tech deception, making it a highly sophisticated cyber fraud campaign with international implications.
Read more »
Postal Service
Amazon Brushing Scam customer privacy Cyber Fraud cyber threat Data Fraud data security Data Theft Postal Service

Brushing Scam Targets Amazon Customers with Unsolicited Packages and Hidden Cyber Threats

 

Ray Simmons was confused when he received an unexpected Amazon package containing beet chews. Initially, he thought it might be a joke from someone encouraging him to eat healthier. However, it turned out to be part of a broader scam known as “brushing,” where consumers receive unsolicited deliveries from online sellers attempting to manipulate product ratings and reviews. 

Brushing scams involve third-party sellers who send low-value goods to individuals whose names and addresses are often scraped from publicly available online sources. After the product is delivered, scammers use the recipient’s identity or create a fake account that resembles the recipient to leave positive reviews. These fake reviews can artificially boost a product’s credibility, helping it rank higher in search results and increasing sales. 

While receiving a free item might seem harmless, the scam carries hidden dangers. The U.S. Postal Inspection Service (USPIS) warns that these incidents indicate misuse of personal information. Even more concerning is the potential for packages to include QR codes, which might direct recipients to malicious websites. Scanning such codes can result in the installation of malware or the theft of personal data. 

The scam is a reminder that personal data is often accessible and can be exploited without a consumer’s knowledge. USPIS stresses the importance of not interacting with suspicious elements included in unsolicited packages. Inspector David Gealey noted that even though these items may appear insignificant, they are a signal that someone has unauthorized access to your personal information. 

Fortunately, the package Simmons received did not include a QR code. Nonetheless, he took immediate action by checking his Amazon and banking accounts for any signs of unauthorized access. This kind of vigilance is exactly what USPIS recommends for anyone in a similar situation. 

Authorities advise that recipients of such packages should not scan any QR codes or click on any related links. They also emphasize that there is no obligation to return unsolicited items. Instead, consumers should monitor their financial and e-commerce accounts for any suspicious activity and report the incident to local law enforcement, USPIS, or the Federal Trade Commission.  

Though brushing scams may appear to be minor nuisances, they reflect deeper issues related to data privacy and cyber fraud. Staying informed and cautious can help consumers protect themselves from further harm and support efforts to hold malicious actors accountable.
Read more »
Two Factor Authentication
Cyber Fraud Cybersecurity CyberThreat Database Breach SIM SIM- Swap SMS Two Factor Authentication

Two Factor Authentication Under Threat as Sim Swap Fraud Escalates Sharply


 

It has been estimated that SIM-swap fraud has increased by more than 1,000% in the United Kingdom in just a year, a shocking increase that has resulted from the recent surge in reported cases. Using newly released data from the National Fraud Database, it has been estimated that incidents increased from 289 in 2023 to almost 3,000 in 2024, a staggering 1,055% increase in incidents. 

It is clear from this sharp increase in cybercrime that a growing trend is emerging among cybercriminals who are increasingly exploiting the widespread adoption of two-factor authentication by businesses as a security measure to protect sensitive customer information. SIM-swap fraud, also known as sophisticated identity theft, is where fraudsters gain control of a victim's mobile phone number by transferring it to a new SIM card, usually without the victim's knowledge. 

When criminals hijack the phone number, they can intercept security codes sent via SMS and one-time passwords sent by SMS, thus gaining access to online banking, email, and other personal accounts protected by two-factor authentication (2FA), thereby gaining unauthorised access. In a world where businesses continue to heavily rely on mobile-based authentication to safeguard user data, this increasing threat underscores the urgent need for cybersecurity strategies that are more resilient and layered. 

There are critical concerns about the vulnerability inherent in current digital security protocols in light of the dramatic increase in such cases, and it is evident that cybercriminals are evolving their methods of bypassing these protocols as well. A serious warning has been issued by CIFAS, the most prominent fraud prevention organisation in the UK, regarding a dramatic increase in SIM-swap fraud reported through 2024, with a 1,055% increase reported in cases.

In its latest report, Fraudscape, which examines the UK's fraud landscape and presents a detailed and data-driven analysis of emerging threats, particularly among mobile and telecommunications companies, the organisation released the concerning figures, which are based on the latest figures. According to the National Fraud Database (NFD), there were nearly 3,000 incidents of SIM swaps that were registered during the year 2024, a significant increase over the previous year's 289 cases. 

Fraudsters acan illicitly transfer the victim's phone number SIM card in order totheir communication, which enaenablingeffectively take control of their communications. Criminals can intercept security verification codes, such as two-factor authentication codes, when they have access to a victim's calls and text messages. This allows them to perform more extensive fraud, including app takeovers, unauthorised account access, and a wider array of identity theft attacks. 

A new report, Fraudscape, indicates an unprecedented number of fraud cases will be filed with the National Fraud Agency (NFF) in 2024, demonstrating that fraud in all sectors has increased significantly. The telecommunications industry in particular has become a prime target, with identity fraud involving mobile services going up 87% year-on-year over the last five years alone. As a result of this surge, more than 16,000 new fraud cases have occurred in the industry, which suggests that stronger fraud defences within the industry are urgently needed. 

It is not uncommon for facility takeover fraud to be on the rise in the last few years, an insidious technique in which criminals seize complete control of an individual's financial and service accounts, compounding the problem. In 2024, the number of account takeover cases soared by 76%, with e-commerce and the telecommunications sectors bearing the greatest burden. During the year, nearly half (48%) of all account takeover incidents involving mobile phones were reported. 

As a result, reports of unauthorised upgrades to mobile phones soared by 96%, indicating that fraudsters are becoming increasingly sophisticated in their manipulation of telecom infrastructure to gain illicit benefits. In light of this upward trend in mobile-related fraud, it is clear that there is a growing threat landscape within the UK, prompting calls for urgent action and innovation to improve the digital security frameworks. 

SIM-swap fraud refers to a meticulously planned cybercrime that usually involves the acquisition of a victim's personal and financial information as a key part of the fraud scheme. This sensitive information, such as national identification numbers, mobile phone numbers, bank account numbers, and card details, is often collected by criminals through deceptive phishing schemes and sophisticated social engineering tricks. 

In other words, the scammer tricks victims into disclosing their credentials voluntarily by using fraudulent websites, impersonating them over phone calls, messages, or emails, or by a convincing impersonation over the phone. Once this information is in their possession, fraudsters proceed to make a SIM swap request or a number port-out request. The victim may have to convert their existing physical SIM card to an eSIM card with the same telecom provider, or they may have to transfer the number to another local operator. 

It is common for these requests to be performed remotely through the official apps provided by the telecom provider. This streamlines the process and allows criminals to circumvent in-person authentication procedures. It is important to know that in jurisdictions with advanced digital safeguards, a SIM swap is usually governed by a government-regulated electronic verification platform. Before any SIM replacements or number porting requests can be approved, identity authentication is required. 

The most common methods of verification include biometric authentication, secure login prompt approvals, or one-time authorisation codes; however, fraudsters have developed methods by which to exploit even these protective measures. An attacker commonly manipulates victims into unintentionally authorising the swap as a way to circumvent verification requirements. In the role of representatives from trusted organisations such as banks, telecom providers, or employers, they create urgent scenarios involving job applications, account updates, or fraud alerts by pretending to be representatives of such organisations. 

When victims are unaware of what is going on, they approve verification requests, allowing the fraudsters to gain control of their mobile numbers. After the SIM swap is completed, the victim's original SIM is deactivated, and then a new SIM card, which is now controlled by the fraudster, is activated. Utilising SMS-based two-factor authentication codes (2FA), which are commonly used for securing online accounts, financial services, and critical communications, the criminal can access all of the victim's information. This means that fraudsters can easily execute unauthorised transactions, gain access to sensitive digital platforms, and perpetrate identity-related crimes using these credentials, often without the victim being aware of it at all. 

Because SIM-swap fraud is an escalating threat that needs to be addressed in light of the rapid escalating threat, organisations as well as individuals must reassess their digital security practices and move away from relying exclusively on SMS authentication to protect themselves. Although two-factor authentication is an important layer of security, its dependence on mobile networks has become a critical vulnerability that cybercriminals are increasingly exploiting to their fullest extent. Businesses must adopt more secure methods of authentication, including biometric verification, authenticator apps, and hardware security keys, so that they can protect customer data and digital access points with greater security. 

Additionally, telecom providers must play a more proactive role in their customer verification protocols, monitor for unusual SIM activity, and make sure that SIM swaps and port-out requests are thoroughly checked through multi-step procedures. Additionally, policymakers and regulators should consider putting in place stronger safeguards across the sector, including a uniform standard for digital identity verification and a real-time fraud alert system. 

Consumers must become aware of the risks associated with cybercrime to defend themselves. In addition to remaining vigilant against SIM tampering, individuals must avoid sharing sensitive personal information online or during unsolicited calls and report any loss of mobile service or suspicious activity of their accounts immediately. To counter fraud on a multi-layered scale, there must be an equally dynamic response rooted in education, innovation, and collaboration across all levels of the digital ecosystem. A concerted effort is required if the UK's digital economy is to continue to thrive in the face of this growing and extremely intrusive threat - and the wider digital economy as a whole.
Read more »
User Security
blob URIs Cyber Fraud Fake Login Phishing Campaign User Security

Cybercriminals Employ Display Fake Login Pages in Your Browser

 

Cofense Intelligence cybersecurity researchers have discovered a new and increasingly successful technique that attackers are using to deliver credential phishing pages straight to users' email inboxes. 

This technique, which first surfaced in mid-2022, makes use of "blob URIs" (binary large objects-Uniform Resource Identifiers), which are addresses that point to temporary data saved by your internet browser on your own computer. Blob URIs have legitimate uses on the internet, such as YouTube temporarily storing video data in a user's browser for playback.

A key feature of blob URIs is their localised nature; that is, a blob URI created by one browser cannot be viewed by another, even on the same device. This inherent privacy feature, while advantageous for legal online services, has been abused by attackers for malicious objectives.

Cofense Intelligence's report, which was shared with Hackread.com, claims that security systems that monitor emails are unable to easily detect the malicious phoney login pages since Blob URI data isn't on the regular internet. As a result, the link in a phishing email does not lead directly to a fraudulent website. Instead, it directs you to a real website that the security systems trust, such as OneDrive from Microsoft. 

Subsequently, the user is directed to an attacker-controlled hidden webpage. The phoney login page is then created in your browser by this hidden website using a blob URI. This page can steal your username and password and send it to the cybercriminals even though it is only saved on your system. 

This poses a challenge for automated security systems, particularly Secure Email Gateways (SEGs), which analyse website content to detect phishing efforts, the researchers explained. AI-powered security models may not yet be sufficiently trained to differentiate between benign and malevolent usage due to the novelty of phishing attacks employing blob URIs. 

The lack of pattern recognition makes automated detection more difficult and raises the possibility that phishing emails will evade protection, especially when paired with the popular attacker technique of employing several redirects.

Cofense Intelligence has detected many phishing attempts using this blob URI method, with lures aimed to fool users into logging in to fraudulent versions of popular services such as OneDrive. These entices include notifications of encrypted messages, urges to access Intuit tax accounts, and financial institution alerts. Regardless of the many initial pretexts, the overall attack flow is similar.

Researchers worry that this sort of phishing may become more common due to its ability to bypass security. As a result, even if links in emails appear to lead to legitimate websites, it is critical to exercise caution and double-check before entering your login details. Seeing "blob:http://" or "blob:https://" in the webpage address may indicate this new trick.
Read more »
User Privacy
Cyber Fraud IT Help Desk Marks & Spencer Social Engineering User Privacy

M&S Hackers Conned IT Help Desk Workers Into Accessing Firm Systems

 

Hackers who attacked Marks & Spencer and the Co-op duped IT professionals into giving them access to their companies' networks, according to a report.

The "social engineering" attack on the Co-op allowed fraudsters to reset an employee's password before infiltrating the network, and a similar method was employed against M&S, insiders told BleepingComputer. 

Hundreds of agency workers at Marks & Spencer were advised not to come to work as the retailer grappled with the aftermath of a hack that cost the business £650 million in a matter of days. 

The disruption started in April when click-and-collect orders and contactless payments were impacted. Stuart Machin, the CEO of M&S, confirmed the issue in a message to customers, stating that the retailer would be making "minor, temporary changes" to in-store operations while it dealt with the ongoing "cyber incident.” 

In order to counter the "social engineering" tactic employed by the hackers from the Scattered Spider network against the UK supermarkets, the National Cyber Security Centre (NCSC) has released new guidelines. 

“Criminal activity online — including, but not limited to, ransomware and data extortion — is rampant. Attacks like this are becoming more and more common. And all organisations, of all sizes, need to be prepared,” noted Jonathon Ellison, NCSC’s national resilience director, and Ollie Whitehouse, its chief technology officer, in a blog post. 

They have recommended firms to "review help desk password reset processes" and pay special attention to "admin" accounts, which typically have more access to a company's network. 

The Scattered Spider network is a group of young guys from the UK and the United States who gained popularity in September 2023 when they broke into and locked up the networks of casino companies Caesars Entertainment and MGM Resorts International, demanding large ransoms. 

Caesars paid approximately $15 million to rebuild its network. It specialises in "breaking down the front door" of networks before passing control to a "ransomware" group, which cripples the network and extorts its owner, according to the Times. 

Tyler Buchanan, a Scottish man accused of being a key member of the organisation, was extradited to the United States from Spain last month after being charged with attempting to hack into hundreds of companies, Bloomberg News reported, citing a US Justice Department official.

At the time of the assault, M&S stated that it is "working extremely hard to restart online and app shopping" and apologies for the inconvenience to customers. It has already been unable to process click and collect orders in stores due to the "cyber incident".
Read more »
takedown
Cyber Fraud Cyberattack CyberCrime Cybersecurity digitalcrime Europol Fraud Hacking LabHost LabRat lawenforcement phishing phishingkits phishingtools takedown

Global Cybercrime Crackdown Dismantles Major Phishing-as-a-Service Platform ‘LabHost’

 

In a major international crackdown, a law enforcement operation spearheaded by the London Metropolitan Police and coordinated by Europol has successfully taken down LabHost, one of the most notorious phishing-as-a-service (PhaaS) platforms used by cybercriminals worldwide.

Between April 14 and April 17, 2024, authorities carried out synchronized raids across 70 different sites globally, resulting in the arrest of 37 individuals. Among those arrested were four suspects in the UK believed to be the platform’s original creators and administrators. Following the arrests, LabHost’s digital infrastructure was completely dismantled.

LabHost had gained infamy for its ease of use and wide accessibility, making it a go-to cybercrime tool. The service offered more than 170 fake website templates imitating trusted brands from the banking, telecom, and logistics sectors—allowing users to craft convincing phishing campaigns with minimal effort.

According to authorities, LabHost supported over 40,000 phishing domains and catered to approximately 10,000 users across the globe. The coordinated enforcement effort was supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), with 19 countries actively participating in the investigation.

LabHost showcased how cybercrime has become industrialized through subscription-based platforms. For a monthly fee of around $249, subscribers could access phishing kits, fraudulent websites, hosting services, and even tools to interact with victims in real-time.

One of its most dangerous features was LabRat, an integrated dashboard that enabled users to monitor ongoing phishing attacks. This tool also allowed cybercriminals to intercept two-factor authentication codes and login credentials, effectively bypassing modern security measures.

Its user-friendly interface eliminated the need for technical skills—opening the door for anyone with malicious intent and a credit card to launch sophisticated phishing schemes. The platform's popularity contributed to a spike in identity theft, financial fraud, and widespread data breaches.

Authorities hailed the takedown as a milestone in the fight against cybercrime. However, they also cautioned that the commoditization of cybercrime remains a serious concern.

"This is a critical blow to phishing infrastructure," cybersecurity experts said, "but the ease of recreating similar platforms continues to pose a major threat."

Following the seizure of LabHost’s backend systems, law enforcement agencies have begun analyzing the data to identify the perpetrators and their victims. This will mark the beginning of a new wave of investigations and preventative measures.

The operation involved agencies from 19 countries, including the FBI and Secret Service from the United States, as well as cybercrime units in Canada, Germany, the Netherlands, Poland, Spain, Australia, and the UK. This unprecedented level of international cooperation highlights the cross-border nature of cyber threats and the importance of unified global action.

As authorities prepare for a fresh wave of prosecutions, the LabHost takedown stands as a defining moment in cyber law enforcement—both in its impact and its symbolism.
Read more »
North Korea Hackers
Crypto Wallet Cyber Fraud Fake Firm Lazarus Group North Korea Hackers

North Korean Hackers Create Fake U.S. Firms to Dupe Crypto Developers

 

Threat analysts at Silent Push, a U.S. cybersecurity firm, told Reuters that North Korean cyber spies established two companies in the U.S., Blocknovas LLC and Softglide LLC, using fictitious personas and addresses to infect developers in the cryptocurrency industry with malicious software, in violation of Treasury sanctions. A third firm, Angeloper Agency, is connected to the campaign but does not seem to be registered in the United States. 

“This is a rare example of North Korean hackers actually managing to set up legal corporate entities in the U.S. in order to create corporate fronts used to attack unsuspecting job applicants,” noted Kasey Best, director of threat intelligence at Silent Push. 

The hackers are members of a subsection inside the Lazarus Group, an elite team of North Korean hackers which is part of the Reconnaissance General Bureau, Pyongyang’s principal foreign intelligence agency, Silent Push added. 

Blocknovas and Softglide were not explicitly mentioned by the FBI. On Thursday, however, the FBI submitted a seizure notice on Blocknovas' website, stating that the name was taken "as part of a law enforcement action against North Korean Cyber Actors who utilised this domain to deceive individuals with fake job postings and distribute malware."

FBI sources told Reuters ahead of the seizure that the agency is still "focused on imposing risks and consequences, not only on the DPRK actors themselves, but anybody who is facilitating their ability to conduct these schemes.” 

One FBI officer stated that North Korean cyber operations are "perhaps one of the most advanced persistent threats" to the United States. The North Korean delegation to the United Nations in New York did not immediately respond to a request for comment. 

“These attacks utilize fake personas offering job interviews, which lead to sophisticated malware deployments in order to compromise the cryptocurrency wallets of developers, and they also target the developers' passwords and credentials which could be used to further attacks on legitimate businesses,” Best stated. 

Silent Push was able to authenticate several victims of the operation, "specifically via Blocknovas, which is by far the most active of the three front companies," the researchers stated in their report.
Read more »
YouTube Account
Account Hack Cyber Fraud Malicious Campaign Online Creator Social Media YouTube Account

Millions at Risk as Malicious Actors Hijack Popular YouTube Accounts

 

At a startling rate, cybercriminals are taking over well-known YouTube channels, exposing viewers to malware, frauds, and data theft. With billions of views and millions of followers at risk, a single mistake can have disastrous results. 

According to new research from Bitdefender Labs, social media account takeovers increased in 2024 and persisted into early 2025. Content creators and influencers with large followings and views have become primary targets. 

Bitdefender discovered more than 9,000 fraudulent livestreams on YouTube in 2024. These are frequently presented on hacked channels that use trusted brands and public figures to propagate fraud and malware. 

One such hijacked account had 12.4 billion views; if even 1% of viewers were duped, 124 million users would be impacted. Attackers frequently imitate well-known brands such as Tesla, Ripple, and SpaceX, holding phoney livestreams with deepfakes of public people like Elon Musk and Donald Trump to push cryptocurrency frauds and phishing links. 

Beyond YouTube, Instagram has been a key target. Hackers send phishing emails impersonating Meta or Instagram Support, cloning login pages, and tricking creators into revealing SMS verification numbers. 

Malicious sponsorships are another form of infiltration. Cybercriminals trick creators into downloading malicious files disguised as promotional content. Malvertising, which includes adverts for bogus AI products or games like GTA VI that install info-stealers and remote access trojans on victims' gadgets, is also a prevalent strategy.

Events with enormous internet audiences, such as Apple keynotes, the XRP-SEC litigation, or CS2 tournaments, are regularly targeted. Attackers take advantage of these periods of high interest to run frauds disguised as official livestreams or contests.

Prevention tips 

To stay safe, creators should utilise the finest browsers with built-in security measures, enable multi-factor authentication (MFA), and regularly monitor account activity for any unusual changes. Unexpected sponsorship offers, particularly those related to trending issues, must also be carefully scrutinised.

It is recommended that you use the best DDoS protection to avoid service disruptions caused by account takeovers, and that you use a reputable proxy service to offer an extra layer of anonymity and security when managing accounts across many platforms.
Read more »
Scam
Cyber Fraud Cyberattack CyberCrime Hacking Pune Scam

Pune Company Falls Victim to ₹6.49 Crore Cyber Fraud in Major Man-in-the-Middle Attack

 

A 39-year-old director of a Mohammedwadi-based firm, which operates in IT services and dry fruit imports, was duped into transferring ₹6.49 crore following a sophisticated Man-in-the-Middle (MitM) cyberattack on March 27. In a MitM scam, cybercriminals secretly intercept communications between two parties, impersonating one to deceive the other, often stealing sensitive information or funds.

According to investigators, the company director was at his residence near NIBM Road when he received what appeared to be a legitimate payment request via email from a business associate. Trusting the authenticity, he initiated the payment and even instructed his bank to process it. However, when he later contacted the exporter to confirm receipt, they denied getting any money.

Upon closer inspection, the director discovered subtle changes in the sender's email ID and bank account details — just one letter altered in the email address and a different bank account number. These minor discrepancies went unnoticed initially, police said.

Senior Inspector Swapnali Shinde of the Cyber Police told TOI, "It has two divisions, one for IT services and another for importing dry fruits. The company director would import the dry fruits from different countries, including the United States and those in the Middle-East. On March 27, he received a payment request from an exporter of dry fruits based in the US. The email demanded payment of nearly Rs 6.5 crore. The victim, thinking it was for the almonds he'd recently imported, initiated the transaction."

Realizing the fraud only on April 17, the director registered an FIR with Pune's cyber police on April 23.

Shinde added, "Officials from his bank called him to verify the transaction, but he told them to proceed. The amount was across in five transactions," explaining that the online ledger displayed only the first few letters of the firm's name and bank details.

"The victim did not realise that the account number of the company, with whom he had regular business with, was changed. He just clicked on the button and initiated the transactions," Shinde said.

Cyber investigators are now tracing the trail of the siphoned funds. "The cash went to several accounts. We're still trying to establish a trail. As of now we can say that about Rs 3 crore is yet to reach the suspects. We will try our best to salvage the money," Shinde stated.
Read more »
User Security
Cyber Fraud Deepfakes Financial Scam Hong Kong Police User Security

Eight Arrested Over Financial Scam Using Deepfakes

 

Hong Kong police have detained eight people accused of running a scam ring that overcame bank verification checks to open accounts by replacing images on lost identification cards with deepfakes that included scammers' facial features. 

Senior Superintendent Philip Lui Che-ho of the force's financial intelligence and investigation division stated on Saturday that the raid was part of a citywide operation on scams, cybercrime, and money laundering that took place between April 7 and 17. Officers arrested 503 persons aged 18 to 80. Losses in the cases surpassed HK$1.5 billion (US$193.2 million. 

Officers arrested the eight suspects on Thursday for allegedly using at least 21 Hong Kong identification cards that were reported lost to make 44 applications to create local bank accounts, according to Chief Inspector Sun Yi-ki of the force's cybersecurity and technology crime branch. 

“The syndicate first tried to use deepfake technology to merge the scammer’s facial features with the cardholder’s appearance, followed by uploading the scammer’s selfie to impersonate the cardholder and bypass the online verification process,” Sun said. 

Following the successful completion of online identification checks at banks, thirty out of the forty-four applications were accepted. In half of the successful attempts, artificial intelligence was used to construct images that combined the identity card's face with the scammer's. The others just substituted the scammer's photo for the one on the ID.

Police claimed the bank accounts were used to apply for loans and make credit card transactions worth HK$860,000, as well as to launder more than HK$1.2 million in suspected illegal proceeds. Sun said the force was still looking into how the syndicate obtained the ID cards, which were claimed lost between 2023 and 2024. On suspicion of conspiracy to defraud and money laundering, police detained the six men and two women and seized numerous laptops, phones, and external storage devices. 

The accused range in age from 24 to 41, with the mastermind and main members of the ring allegedly belonging to local triad gangs. Lui urged the public against renting, lending, or selling access to their bank accounts to anyone.

The 333 men and 170 women arrested during the citywide raid were discovered to be engaged in 404 crimes, the most of which were employment frauds, financial swindles, and internet shopping scams. They were caught for conspiracy to defraud, gaining property by deception, and money laundering. Two cross-border money-laundering operations were busted in coordination with mainland Chinese authorities over the last two weeks. 

Lui claimed that one of the syndicates laundered alleged illicit earnings from fraud operations by hiring tourists from the mainland to purchase gold jewellery in Hong Kong. Between last December and March of this year, the syndicate was discovered to have been involved in 240 mainland scam instances, resulting in losses of 18.5 million yuan (US$2.5 million). 

“Syndicate masterminds would recruit stooges from various provinces on the mainland, bringing them to Hong Kong via land borders and provide hostel accommodation,” the senior superintendent stated.

Syndicate members would then arrange for the recruits to purchase gold jewellery in the city using digital payment methods, with each transaction costing tens to hundreds of thousands of Hong Kong dollars. On Tuesday last week, Hong Kong police apprehended three individuals who had just purchased 34 pieces of gold jewellery for HK$836,000 per the syndicate's orders. Two of them had two-way passes, which are travel documents that allow mainlanders to access the city. The third suspect was a Hong Konger.

On the same day, mainland police arrested 17 persons. The second cross-border syndicate arranged for mainlanders to create accounts in Hong Kong using fraudulent bank, employment, and utility bill documents. Police in Hong Kong and the mainland arrested a total of 16 persons in connection with the investigation. From December 2023 to April, the syndicate was involved in 61 scam instances in the city, resulting in losses of HK$26.7 million. Accounts were created to receive the scam money.
Read more »
Verification
AI Cyber Fraud Cybersecurity Deepfake Fraud identity Recruitment Resume Verification

Fake Candidates, Real Threat: Deepfake Job Applicants Are the New Cybersecurity Challenge

 

When voice authentication firm Pindrop Security advertised an opening for a senior engineering role, one resume caught their attention. The candidate, a Russian developer named Ivan, appeared to be a perfect fit on paper. But during the video interview, something felt off—his facial expressions didn’t quite match his speech. It turned out Ivan wasn’t who he claimed to be.

According to Vijay Balasubramaniyan, CEO and co-founder of Pindrop, Ivan was a fraudster using deepfake software and other generative AI tools in an attempt to secure a job through deception.

“Gen AI has blurred the line between what it is to be human and what it means to be machine,” Balasubramaniyan said. “What we’re seeing is that individuals are using these fake identities and fake faces and fake voices to secure employment, even sometimes going so far as doing a face swap with another individual who shows up for the job.”

While businesses have always had to protect themselves against hackers targeting vulnerabilities, a new kind of threat has emerged: job applicants powered by AI who fake their identities to gain employment. From forged resumes and AI-generated IDs to scripted interview responses, these candidates are part of a fast-growing trend that cybersecurity experts warn is here to stay.

In fact, a Gartner report predicts that by 2028, 1 in 4 job seekers globally will be using some form of AI-generated deception.

The implications for employers are serious. Fraudulent hires can introduce malware, exfiltrate confidential data, or simply draw salaries under false pretenses.

A Growing Cybercrime Strategy

This problem is especially acute in cybersecurity and crypto startups, where remote hiring makes it easier for scammers to operate undetected. Ben Sesser, CEO of BrightHire, noted a massive uptick in these incidents over the past year.

“Humans are generally the weak link in cybersecurity, and the hiring process is an inherently human process with a lot of hand-offs and a lot of different people involved,” Sesser said. “It’s become a weak point that folks are trying to expose.”

This isn’t a problem confined to startups. Earlier this year, the U.S. Department of Justice disclosed that over 300 American companies had unknowingly hired IT workers tied to North Korea. The impersonators used stolen identities, operated via remote networks, and allegedly funneled salaries back to fund the country’s weapons program.

Criminal Networks & AI-Enhanced Resumes

Lili Infante, founder and CEO of Florida-based CAT Labs, says her firm regularly receives applications from suspected North Korean agents.

“Every time we list a job posting, we get 100 North Korean spies applying to it,” Infante said. “When you look at their resumes, they look amazing; they use all the keywords for what we’re looking for.”

To filter out such applicants, CAT Labs relies on ID verification companies like iDenfy, Jumio, and Socure, which specialize in detecting deepfakes and verifying authenticity.

The issue has expanded far beyond North Korea. Experts like Roger Grimes, a longtime computer security consultant, report similar patterns with fake candidates originating from Russia, China, Malaysia, and South Korea.

Ironically, some of these impersonators end up excelling in their roles.

“Sometimes they’ll do the role poorly, and then sometimes they perform it so well that I’ve actually had a few people tell me they were sorry they had to let them go,” Grimes said.

Even KnowBe4, the cybersecurity firm Grimes works with, accidentally hired a deepfake engineer from North Korea who used AI to modify a stock photo and passed through multiple background checks. The deception was uncovered only after suspicious network activity was flagged.

What Lies Ahead

Despite a few high-profile incidents, most hiring teams still aren’t fully aware of the risks posed by deepfake job applicants.

“They’re responsible for talent strategy and other important things, but being on the front lines of security has historically not been one of them,” said BrightHire’s Sesser. “Folks think they’re not experiencing it, but I think it’s probably more likely that they’re just not realizing that it’s going on.”

As deepfake tools become increasingly realistic, experts believe the problem will grow harder to detect. Fortunately, companies like Pindrop are already developing video authentication systems to fight back. It was one such system that ultimately exposed “Ivan X.”

Although Ivan claimed to be in western Ukraine, his IP address revealed he was operating from a Russian military base near North Korea, according to the company.

Pindrop, backed by Andreessen Horowitz and Citi Ventures, originally focused on detecting voice-based fraud. Today, it may be pivoting toward defending video and digital hiring interactions.

“We are no longer able to trust our eyes and ears,” Balasubramaniyan said. “Without technology, you’re worse off than a monkey with a random coin toss.”
Read more »
Toll Payment
Cyber Fraud Cybersecurity CyberThreat E-ZPass FasTrak Road Toll Scam Alert SMiShing SMS Toll Payment

Smishing Triad Broadens Fraud Campaign to Include Toll Payment Services

 


Tolling agencies throughout the United States are battling an escalating cybersecurity threat that is causing deceptive text message scams, which are often called smishing, to escalate. As a result of these fraudulent campaigns, unsuspecting motorists are lured into clicking harmful links and sending unauthorized payments by impersonating legitimate toll payment notification emails. 

The main issue is that the tolling infrastructure does not contain system intrusions or data breaches, contrary to common misconceptions. As a result, bad actors are exploiting widely recognized tolling practices as a means of deceiving individuals into engaging with malicious content, which is in direct contravention of public trust. 

A critical line of defense against these fraudulent activities, which toll operators are strengthening their collaboration with cybersecurity experts and law enforcement agencies, remains public awareness. Communication professionals within these organizations play a crucial role in proactively informing and educating their consumers regarding these fraudulent activities. It is imperative that outreach and messaging are clear and consistent so that individuals can recognize legitimate correspondence and avoid falling victim to sophisticated digital deception. 

To combat this growing threat, we need not only technological measures but also a comprehensive communication strategy centred on transparency, vigilance and trust. As part of the increasing prevalence of digital fraud, deceptive text messages alleging that toll charges have not been paid are becoming increasingly prevalent. 

There is a tactic in practice known as "smishing," a combination of short message service (SMS) and email fraud, which involves the use of text messaging platforms to deceive users into disclosing sensitive personal or financial information, or unintentionally install malicious software, which is referred to as smishing. While this fraudulent premise may seem straightforward, the impact it has is tremendous. As well as suffering direct financial losses, victims may also compromise the security of their devices, allowing them to be vulnerable to identity theft and data breaches. 

A Chinese cybercrime syndicate known as Smishing is responsible for an increase in toll-related scams, a trend which is associated with a marked increase in smishing attacks. A group called Triath has begun launching highly coordinated fraud campaigns that target consumers in the United States and the United Kingdom, with indications that the fraud might expand globally in the coming months. The deceptive messages are often misconstrued as legitimate toll service notifications, citing recognizable platforms such as FasTrak, E-ZPass, and I-Pass as a means of convincing the reader that the message is legitimate. 

There is a strong correlation between these operations and the group's previous international fraud patterns, which suggests that the group is seeking to exploit tolling systems across various regions as a larger strategic initiative. By exploiting an E-ZPass account credential harvesting scheme, cybercriminals are targeting an increasing number of E-ZPass users across multiple states. Scammers are sending fraudulent text messages posing as official tolling authorities to alert victims to the fact that there is an outstanding toll balance on their accounts. 

It is common for these messages to contain false claims that the account has expired or is delinquent, prompting the user to make an urgent payment to avoid penalties. As for the requests, typically they range between $3.95 and $12.55 — sums that are low enough to avoid raising suspicions, but high enough to be exploited at scale. 

By utilizing a minimal financial impact, it is more likely that the recipient will comply since such minor charges may not be scrutinized by the recipient. When an attacker entices their users to click embedded links, they redirect them to counterfeit portals that steal sensitive information like logins or payment information, which in turn compromises the users' data under the guise of a routine toll notification, which can then compromise their personal information. 

The most insidious part of these campaigns is the sophisticated spoofing of Sender IDs, which makes it seem as if the messages are from official sources, making them seem particularly dangerous. There are various instant messaging platforms available today that offer relatively limited spam protection, compared to email-based phishing, which is increasingly mitigated by advanced filtering technologies. These platforms, such as SMS, iMessage, and similar services, offer comparatively limited spam protection, compared to email-based phishing. 

The perception of urgency embedded in the communication often provokes immediate action as well, since they are highly trusted by their users. Those scams that combine technical evasion with psychological manipulation are highly effective, outperforming the effectiveness of traditional phishing vectors such as email and search engine manipulation in terms of success rates. 

With the widespread adoption of cashless tolling systems and the increasing use of mobile devices for routine transactions, there is a ripe environment for the exploitation of these devices. These evolving digital habits are exploited by fraudsters by impersonating legitimate agencies and utilizing the appearance of urgency to induce immediate action, often uncritical, from the target group. 

According to the Federal Bureau of Investigation's Internet Crime Complaint Center, over 60,000 reports involving such scams were received during 2024, indicating the alarming nature of the problem. There is a trend among text-based fraud that includes toll-related schemes, but it is also a common occurrence. 

Text-based fraud can be based on overdue phone bills, shipping notifications, or even fake cybersecurity alerts. Attacks like these are often carried out by increasingly organized international criminal networks by using automated systems able to target thousands of individuals at the same time. The federal and state governments, along with the transportation agencies, have responded to the situation by issuing public advisories to raise awareness and encourage vigilance. Although specific actors have not yet been officially identified, it has become increasingly apparent that cybercrime syndicates are engaged in these toll-related smishing campaigns due to their scope and precision. 

Recent developments in emerging intelligence have revealed several important developments, including: 

In a recent report, it has been reported that criminal groups based in China are selling ready-made pre-compiled phishing kits, making it easier for fraudsters to impersonate toll agencies with the highest degree of accuracy and with the least amount of technical knowledge. 

The attackers registered thousands of fake domain names that appear to be legitimate toll websites and made them appear as if they were legitimate toll websites from multiple states, including Massachusetts, Florida, and Texas. 

Fraudsters are actively exploiting the names of well-known toll systems to mislead the public into believing that they are dealing with a genuine problem and coerce them into clicking malicious links or disclosing personal information. 

“The rise of these sophisticated road toll scams is catching many people off guard, highlighting the evolving nature of cybercrime. What we're seeing is a well-organized and potentially lucrative operation,” 
— Gene Kingsley, Special VP, Board of Directors, InfraGard National Members Alliance; Chairman, American Security and Resilience Foundation 

A more effective way of deterring crime is to raise public awareness about it through the following methods: 

This level of sophistication emphasizes the pivotal role public education plays as the first line of defence against such threats. The aim is to raise individuals' awareness about these types of tactics, to enable them to recognize and report suspicious messages. 

As a precautionary measure against the potential risks, the Federal Bureau of Investigation (FBI) recommends the following protective measures: 

Do not respond to unsolicited text messages seeking personal and financial information. 

Do not click on links that appear in unexpected messages, as these may lead to fake websites that are designed to steal users' personal information. The toll agency can be contacted directly through official channels to verify the message. 

The FBI Internet Crime Complaint Center can be contacted at www.ic3.gov, where users can report fraud along with the sender's name and suspicious links. Once they report the scam, delete any fraudulent messages to prevent unintentional interaction with the sender. 

To disrupt these fraudulent operations and protect their digital identity, consumers must follow these steps and remain sceptical when it comes to unsolicited communications.
Read more »
Scam
Antivirus Cyber Fraud Cybersecurity Fraud Hackers phishing Scam

Phishing Scams Are Getting Smarter – And More Subtle : Here’s All You Need to Know

 

Cybercriminals are evolving. Those dramatic emails warning about expired subscriptions, tax threats, or computer hacks are slowly being replaced by subtler, less alarming messages. New research suggests scammers are moving away from attention-grabbing tactics because people are finally catching on.

Kendall McKay, strategic lead for cyber threat intelligence at Cisco’s Talos division, said phishing scams are adapting to stay effective. “They probably know that we've caught on to this and the tricky, sensational email isn't going to work anymore,” McKay said. “So they've moved towards these benign words, which are likely to show up in your inbox every day."

Cisco’s 2024 Year in Review report found that common phishing emails now include subject lines like “request,” “forward,” and “report”—a shift from the usual “urgent” or “payment overdue.” Despite the growing use of advanced tools like AI, scammers still favor phishing because it works. Whether they’re targeting large corporations or individuals, their aim remains the same: to trick users into clicking malicious links or giving up sensitive information.

The most impersonated brands in blocked phishing emails last year included:
  • Microsoft Outlook – 25% of total phishing attempts
  • LinkedIn
  • Amazon
  • PayPal
  • Apple
  • Shein
“Phishing is still prominent, phishing is effective, and phishing is only getting better and better, especially with AI,” McKay said.

Common phishing tactics include:
  • Unsolicited messages via email, text, or social media—especially if they come from people or companies you haven’t contacted.
  • Fake job offers that appear legitimate. Always verify recruiter details, and never share personal information unless it’s through a trusted channel.
  • Requests for gift cards or cryptocurrency payments—these are favored by scammers because they’re untraceable. Official entities like the IRS won’t ever ask for payment in these forms or reach out via email, phone, or text.
  • Online romance scams that play on emotional vulnerability. The FTC reported $384 million in losses from romance scams in just the first nine months of 2024.
  • Charity scams tied to current events or disasters. Always donate through official websites or verified sources.
To protect yourself if you think you’ve been phished:
  • Install and update antivirus software regularly—it helps filter spam and block malware-laced attachments.
  • Use strong, unique passwords for every account. A password manager can help manage them if needed.
  • Enable two-factor authentication (2FA) using apps or physical security keys (avoid SMS-based 2FA when possible).
  • Freeze your credit if your Social Security number or personal data may have been compromised. Experts even suggest freezing children’s credit to prevent unnoticed identity theft.
  • Scams are no longer loud or obvious. As phishing becomes more polished and AI-powered, the best defense is staying alert—even to the emails that seem the most routine.
Read more »
Password Breach
Credential Stuffing Cyber Fraud Cybersecurity Infostealer Malware Password Breach

Massive Password Breach Fuels Rise of Automated Credential-Stuffing Attacks

 

If you’re still relying solely on passwords to protect your digital life, this might be your wake-up call. A surge in infostealer malware has compromised billions of credentials, with 85 million fresh passwords now actively being used in cyberattacks. And even with two-factor authentication (2FA), you're not necessarily safe — hackers are leveraging stolen session cookies to bypass 2FA protections entirely.

This threat has escalated with the emergence of a sophisticated hacking tool: Atlantis AIO. A recent threat intelligence report by Abnormal Security warns that this automated credential-stuffing machine is exploiting stolen credentials to infiltrate everything from email and VPNs to streaming and food delivery services.

“Atlantis AIO has emerged as a powerful weapon in the cybercriminal arsenal,” Abnormal Security analysts said, “enabling attackers to test millions of stolen credentials in rapid succession.”

Credential stuffing isn’t a new concept — but it’s becoming more dangerous. Cybercriminals are constantly refining tools to make these attacks more efficient. In a previous report from March 15, internal chat logs from the Black Basta ransomware group exposed how an automated brute-force attack system was being used to infiltrate accounts.

Both brute-force and credential-stuffing attacks work by bombarding accounts with endless combinations of usernames and passwords. By leveraging databases of breached credentials from the dark web and criminal forums, hackers can easily gain access to multiple accounts that share reused passwords.

What sets Atlantis AIO apart is its plug-and-play structure. It offers pre-configured modules tailored to target over 140 different platforms — from popular email providers like Hotmail, Yahoo, AOL, GMX, and Web.de, to VPNs, streaming platforms, banking apps, and food delivery services.

The message is clear: if you're still reusing passwords, it's time to rethink your security habits. Passwords alone are no longer enough to stay safe online.

Read more »
Malicious Campaign
Cyber Fraud Fake Hiring GitHub Infostealer Malicious Campaign

Developers Face a Challenge with Fake Hiring That Steals Private Data

 

Cyble threat intelligence researchers discovered a GitHub repository posing as a hiring coding challenge, tricking developers into downloading a backdoor that steals private data. The campaign employs a variety of novel approaches, including leveraging a social media profile for command and control (C&C) activities rather than C&C servers. Cyble Research and Intelligence Labs (CRIL) researchers discovered invoice-themed lures, suggesting that the campaign may be moving beyond a fake hiring challenge for developers. 

According to a blog post by Cyble researchers, 
the campaign appears to target Polish-speaking developers, and the malware exploits geofencing to restrict execution. The researchers believed that the campaign is disseminated through career sites such as LinkedIn or regional development forums. 

The fake recruitment test, dubbed "FizzBuzz," dupes users into downloading an ISO file containing a JavaScript exercise and a malicious LNK shortcut. When executed, the LNK file ("README.lnk") invokes a PowerShell script that installs a stealthy backdoor known as "FogDoor" by the researchers. 

Instead of employing C&C servers, FogDoor communicates with a social media platform using a Dead Drop Resolver (DDR) mechanism to retrieve attack directives from a profile, according to the researchers. The malware employs geofencing to limit execution to Polish victims. 

When it becomes operational, "it systematically steals browser cookies, Wi-Fi credentials, and system data, staging them for exfiltration before deleting traces," Cyble told reporters. The malware employs remote debugging to collect Chrome cookies and can work in the background, while Firefox credentials are obtained from profile directories. 

PowerShell script establishes persistence 

The PowerShell script also opens a "README.txt" file "to trick consumers into believing they are interacting with a harmless file," Cyble stated. This paper includes instructions for a code bug patch task, "making it appear innocuous while ensuring the PowerShell script executes only once on the victim's machine to carry out malicious activities." 

The PowerShell script also downloads an executable file and saves it as "SkyWatchWeather.exe" in the "C:\Users\Public\Downloads" folder. It then creates a scheduled task called "Weather Widget," which executes the downloaded file using mshta.exe and VBScript and is set to run every two minutes indefinitely. 

SkyWatchWeather.exe serves as a backdoor by utilising a social networking platform (bark.lgbt) and a temporary webhook service (webhookbin.net) as its command and control infrastructure. After authenticating its location, the malware attempts to connect to "bark.lgbt/api" in order to get further orders embedded in a social media platform's profile information. Cyble added that this setup complicates identification and removal operations.
Read more »
Subscribe to: Posts (Atom)