Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Fraud. Show all posts
Quishing Campaign
Cyber Fraud Cybersecurity measures Cybersecurity Warning Drivers QR code QR Code Phishing QR code scams QR code security Quishing Quishing Campaign

Parking Meter QR Code Scam Grows Nationwide as “Quishing” Threatens Drivers

 

A growing scam involving fake QR codes on parking meters is putting unsuspecting drivers at risk of financial fraud. This deceptive tactic—called “quishing,” a blend of “QR” and “phishing”—relies on tampered QR codes that redirect people to bogus websites designed to steal sensitive information like credit card details or vehicle data. 

The scam works in a surprisingly simple but effective way: fraudsters cover official QR codes on parking meters with nearly identical stickers that feature malicious codes. When scanned, the QR code does not lead to the authorized parking service’s payment portal but instead sends users to a counterfeit site. These phishing websites often look nearly identical to legitimate services, making them difficult to identify as fraudulent. Once there, victims are prompted to enter personal data that can later be misused to withdraw funds or commit identity theft.  

Recent reports have confirmed the presence of such manipulated QR codes on parking infrastructure in multiple cities, and similar schemes have also been spotted on electric vehicle charging stations. In one documented case, a victim unknowingly lost a four-figure amount after entering their payment information on a fake page. According to police authorities in Lower Saxony, Germany—where the scam has seen a surge—this type of attack is rapidly spreading and becoming a nationwide concern. 

Unlike phishing emails, which are often flagged by security software, QR codes are processed as images and generally bypass traditional cybersecurity defenses. This makes “quishing” harder to detect and potentially more dangerous, especially for users with outdated smartphone software. Because these scams exploit visual deception and technical limitations, the responsibility often falls on users to scrutinize QR codes closely before scanning.  

Experts recommend taking a few precautions to stay safe. First, inspect the QR code on the meter to ensure it hasn’t been tampered with or covered by a sticker. If anything appears off, avoid scanning it. For added security, users should download the official parking service app from an app store and enter location details manually. Using third-party QR code scanner apps that reveal the destination URL before opening it can also help prevent falling for a fake link. 

Anyone who believes they may have been scammed should act immediately by contacting their bank to block the card, reporting the incident to local authorities, and monitoring accounts for unauthorized activity. Law enforcement is urging users to stay alert as these scams become more common, especially in urban areas where mobile parking and EV charging stations are widely used.
Read more »
Scattered Spider Threat Group
cyber attack Cyber Fraud cyberattacks trending news FBI Scattered Spider Threat Group

FBI Raises Alarm as Scattered Spider Threat Group Expands Target Sectors

 

The Federal Bureau of Investigation (FBI) has issued a high-level cybersecurity alert warning about the growing threat posed by Scattered Spider, a cybercriminal group now targeting the transportation sector specifically the aviation industry and expanding its focus to insurance companies. Previously associated with large-scale ransomware attacks in the retail sector, including a significant breach at Marks & Spencer in the UK that resulted in losses exceeding $600 million, the group is now shifting tactics and industries. 

A recent analysis by cybersecurity firm Halcyon, confirmed by the FBI, highlights how Scattered Spider is using advanced social engineering to bypass multi-factor authentication (MFA), often by impersonating employees or contractors and deceiving IT help desks into adding unauthorized MFA devices. The FBI has urged organizations to strengthen their MFA procedures and report any suspicious activity promptly. Research from Reliaquest shows the group often spoofs technology vendors and specifically targets high-access individuals like system administrators and executives.

Scattered Spider is financially driven and reportedly connected to a broader cybercriminal collective known as The Community. Its collaborations with ransomware operators such as ALPHV, RansomHub, and DragonForce have enabled it to access sophisticated cyber tools. What makes the group particularly dangerous is its ability to blend technical skill with social engineering, recruiting English-speaking attackers with neutral accents and regional familiarity to convincingly impersonate support staff during Western business hours. Real-time coaching and detailed scripts further enhance the success of these impersonation efforts.

Beyond aviation, experts are now seeing signs of similar attacks in the U.S. insurance sector. Google’s Threat Intelligence Group confirmed multiple such incidents, and security leaders warn that these are not isolated cases. Jon Abbott, CEO of ThreatAware, emphasized that this trend signals a broader threat landscape for all industries. 

Richard Orange of Abnormal AI noted that Scattered Spider relies more on manipulating human behaviour than exploiting software vulnerabilities, often moving laterally across systems to gain broader access. The group’s exploitation of supply chain links has been a consistent tactic, making even indirect associations with targeted sectors a point of vulnerability. As the FBI continues to work with affected industries, experts stress that all organizations, regardless of sector, must enhance employee awareness, implement strict identity verification, and maintain vigilance against social engineering threats.
Read more »
User Security
Cyber Fraud Deepfakes Financial Scam User Privacy User Security

Deepfakes Explained: How They Operate and How to Safeguard Yourself

 

In May of this year, an anonymous person called and texted elected lawmakers and business executives pretending to be a senior White House official. U.S. senators were among the recipients who believed they were speaking with White House chief of staff Susie Wiles. In reality, though, it was a phoney. 

The scammer employed AI-generated deepfake software to replicate Wiles' voice. This easily accessible, low-cost software modifies a public speech clip to deceive the target. 

Why are deepfakes so convincing? 

Deepfakes are alarming because of how authentic they appear. AI models can analyse public photographs or recordings of a person (for example, from social media or YouTube) and then create a fake that mimics their face or tone very accurately. As a result, many people overestimate their ability to detect fakes. In an iProov poll, 43% of respondents stated they couldn't tell the difference between a real video and a deepfake, and nearly one-third had no idea what a deepfake was, highlighting a vast pool of potential victims.

Deepfakes rely on trust: the victim recognises a familiar face or voice, and alarms do not sound. These scams also rely on haste and secrecy (for example, 'I need this wire transfer now—do not tell anyone'). When we combine emotional manipulation with visual/auditory reality, it is no surprise that even professionals have been duped. The employee in the $25 million case saw something odd—the call stopped abruptly, and he never communicated directly with colleagues—but only realised it was a scam after the money was stolen. 

Stay vigilant 

Given the difficulty in visually recognising a sophisticated deepfake, the focus switches to verification. If you receive an unexpected request by video call, phone, or voicemail, especially if it involves money, personal data, or anything high-stakes, take a step back. Verify the individual's identity using a separate channel.

For example, if you receive a call that appears to be from a family member in distress, hang up and call them back at their known number. If your supervisor requests that you buy gift cards or transfer payments, attempt to confirm in person or through an official company channel. It is neither impolite or paranoid; rather, it is an essential precaution today. 

Create secret safewords or verification questions with loved ones for emergencies (something a deepfake impostor would not know). Be wary of what you post publicly. If possible, limit the amount of high-quality videos or voice recordings you provide, as these are used to design deepfakes.
Read more »
Mozilla Firefox
Crypto Wallets cryptocurrency cryptocurrency wallet Cyber Fraud Data Theft Extensions Fake Extension Firefox Firefox Hacks Firefox Security Mozilla Firefox

Fake Firefox Extensions Mimic Crypto Wallets to Steal Seed Phrases

 

Over 40 deceptive browser extensions available on Mozilla Firefox’s official add-ons platform are posing as trusted cryptocurrency wallets to steal user data, according to security researchers. These malicious add-ons are camouflaged as popular wallet brands such as MetaMask, Coinbase, Trust Wallet, Phantom, Exodus, MyMonero, OKX, and Keplr. 

Behind their familiar logos and fake five-star reviews lies code designed to exfiltrate wallet credentials and seed phrases to servers controlled by attackers. Cybersecurity firm Koi Security, which discovered this threat campaign, suspects a Russian-speaking hacking group is responsible. In a report shared with BleepingComputer, the firm revealed that the fraudulent extensions were modified versions of legitimate open-source wallets, altered to include stealthy monitoring code. 

These extensions monitor browser input for strings that resemble wallet keys or recovery phrases — often identified by their length and character patterns. Once such sensitive input is detected, the information is covertly sent to attackers. To avoid suspicion, the extensions suppress error messages or alerts by rendering them invisible. The most critical data targeted are seed phrases — multi-word recovery codes that serve as master keys for crypto wallets. Anyone with access to a seed phrase can irreversibly drain all assets from a user’s wallet. 

The campaign has reportedly been active since at least April 2025, and new malicious add-ons continue to appear. Some were added as recently as last week. Despite Mozilla’s efforts to flag and remove such add-ons, Koi Security noted that many remained live even after being reported through official channels. The fake extensions often feature hundreds of fraudulent five-star reviews to build trust, although some also have one-star ratings from victims warning of theft. 

In many cases, the number of reviews far exceeds the number of downloads — a red flag missed by unsuspecting users. Mozilla responded by confirming that it is aware of ongoing threats targeting its add-ons ecosystem and has already removed many malicious listings. The organization has implemented a detection system that uses automated tools to flag suspicious behavior, followed by manual review when necessary.

In a statement to BleepingComputer, Mozilla emphasized its commitment to user safety and stated that additional measures are being taken to improve its defense mechanisms. As fake wallet extensions continue to circulate, users are urged to verify the authenticity of browser add-ons, rely on official websites for downloads, and avoid entering recovery phrases into any untrusted source.
Read more »
User Security
Cyber Fraud Helpdesk Scam IT Fraud User Privacy User Security

The Rise in IT Helpdesk Scams: What Can Users Do?

 

Over 37,500 complaints concerning phoney tech-support scams were filed in the United States last year alone, resulting in losses of over $924 million, according to the latest FBI's Internet Crime Report. 

In this piece, we'll look at how these scams work, the risks they bring, and how you can prevent them. 

Modus operandi

In this scheme, scammers generally mimic technical or customer-service representatives from prominent corporations, most often in the tech industry. This allows fraudsters to utilise impressive-sounding phrases and technical information that the common user cannot understand.

The most typical pretext used by fraudulent tech-support scammers to contact potential victims is claiming to have discovered a problem with the latter's computer. For example, fake employees of a software developer or a well-known antivirus company call you and tell you that they have discovered malware on your computer, you should be suspicious. 

Scammers therefore overwhelm their victims, creating panic and a sense of helplessness. The fraudsters then use these emotions to gain trust; these techniques are typically designed to make the victim feel compelled to trust them. It is this trust that the scammers ultimately use to achieve their objectives. 

Prevention tips

If someone approaches you claiming to be from tech support, warns you of a danger, and insists that action be taken immediately, it is most certainly a fake tech-support fraudster. Try not to panic and avoid doing anything you'll regret later.

It is preferable to share what is going on with someone else, as this might help you discover inconsistencies and flaws in the scammer's story. To buy time, tell them you're busy, have another call, your phone's battery is running low, or simply pretend to be disconnected. Furthermore, to protect yourself from scammers, you can take the following steps: 

  • Install a reputable security solution on all of your devices and heed its warnings. 
  • Never enter your login information while someone else is viewing, such as while screen sharing or when someone has remote access to your computer. 
  • Avoid installing remote access software on your computer, and never provide access to outsiders. By the way, our protection can alert you to such threats.

It's also worth noting that the elderly are particularly prone to tech support frauds. They may not be very cyber-savvy, therefore they want reliable security more than anyone else.
Read more »
Emails Phishing
Cyber Fraud CyberCrime Digital Hygiene Digital Threat Email Unsubscribing Emails Phishing

Unwanted Emails Are Annoying But Unsubscribing Can Be Riskier

 


A growing number of Gmail users consider the “unsubscribe” button to be a straightforward means of decluttering their overflowing inboxes, but cybersecurity experts are warning that a growing and mostly ignored threat is posing a serious threat. The unsubscribe link has evolved from a harmless tool for reducing unwanted emails to a sophisticated tool in cybercriminals' arsenal. It has once been considered a harmless tool for reducing unwanted emails. 

Users are naturally motivated to regain control of their email accounts, so scammers embed malicious unsubscribe buttons within their email accounts that do far more than just remove a sender from the list. Clicking on these links will quietly confirm that the email address is active and will also mark the recipient as a prime target for phishing attacks in the future. The action can sometimes lead to malware installation or redirect users to fake login pages that are used to steal credentials, causing the user to become a victim of phishing. 

While it may seem like a routine act of digital hygiene to keep one's inbox clean and tidy, the act of doing so could actually lead to information theft, account compromise, as well as spreading malicious software. Since inbox overload is becoming an everyday struggle, security experts warn us that convenience should never surpass caution when it comes to inbox management.

A sophisticated scam can begin with an innocent-looking unsubscribe button that looks innocent in an era when cyberthreats are increasingly disguised as legitimate communication. In order to blur the line between genuine communication and deception, cybercriminals frequently craft email messages that closely resemble legitimate promotional and service notifications, intentionally blurring the line between genuine correspondence and deception within these fraudulent messages. However, the so-called “unsubscribe” links seldom work exactly as advertised within these fraudulent messages. 

As opposed to removing the recipient's email address from any mailing list, these links usually have an agenda of monitoring user behaviour, redirecting unsuspecting individuals to malicious websites, or asking them to share sensitive information under false pretences, rather than removing the recipient from any mailing list. Often, a deceptive tactic involves asking recipients to enter their passwords or other credentials to "confirm removal," which is a deceptive tactic. 

It is important to note that even though it might seem innocuous, this seemingly innocuous act could compromise email accounts, grant unauthorised access to financial information, or expose personal information that may facilitate identity theft. Clicking these links will not solve the spam problem, but will inadvertently validate the email address as active, which will encourage spammers and cybercriminals to target the email address further. 

In some cases, it may be difficult to trust the link to unsubscribe. In any case, users ought to be cautious of emails that appear to contain any of the following warning signs: the sender's identity is unfamiliar and the message references services or offers that have never been requested; there are spelling mistakes, poor formatting, or generic greetings, such as "Dear Customer", in the content; the sender's email address appears suspicious, as it uses domains not associated with well-known companies; or the unsubscribe link itself takes the user to a questionable page. 

During such situations, security experts highly recommend that users delete the email rather than interact with the links embedded within, since vigilance remains the best defence against these ever-evolving threats. It was recently revealed by TK Keanini, Chief Technology Officer at DNSFilter, that there are significant security concerns associated with simply clicking the unsubscribe link in an email. 

A DNSFilter estimate indicates that approximately one in every 644 unsubscribe clicks occurs at a potentially malicious website, which emphasises how pervasive and effective these tactics have become across a vast range of levels of vulnerability. The impacts on unprepared email users can be quite different. 

When cybercriminals use less harmful tactics, they merely verify that the email address belongs to an engaged individual and make the email address a valuable target for future attacks. Because of this knowledge, attackers will usually construct detailed profiles on their victims. This builds the foundation for more sophisticated fraud schemes such as ransomware attacks, fraudulent e-commerce sites that harvest payment information, or malicious campaigns that deploy malware through subsequent communication with victims.

A malicious unsubscribe link, for example, can sometimes be used as an unsubscribe link that exploits browser vulnerabilities when it is contacted, causing harmful software to be installed immediately on the computer. There are a few factors which contribute to the occurrence of this scenario, including specific security flaws in a user's browser, but security experts warn that it cannot be entirely dismissed altogether. 

According to an expert, direct attacks are not the most efficient way for criminals to commit crimes, but there remains the risk of serious injury for users who interact with suspicious unsubscribe links. In light of this reality, it is crucial to maintain a sceptical mindset in regard to email security and to adhere to best practices as much as possible. 

Despite the fact that technology experts and cybersecurity firms have repeatedly emphasised that individuals should not click unsubscribe links unless the sender's identity has been fully verified and trusted, it is still strongly recommended to avoid clicking on unsubscribe links. In order to reduce the risk of exposure to malicious websites or phishing traps, users are encouraged to utilise modern email services, such as Gmail, which come with built-in security and management tools. 

There are several options available to people to unsubscribe from email lists, and Gmail's native "List-Unsubscribe" feature is one of the most helpful. The secure opt-out function allows users to opt out without interacting with potentially fraudulent links by connecting directly to reputable platforms, such as Mailchimp and Constant Contact, thus helping them opt out safely and securely. 

Further, by marking suspicious messages as spam, users are not only removing them from their inboxes but also educating Gmail's machine learning algorithm so that similar messages will be blocked automatically in the future, thereby reducing the chances of receiving any further unwanted messages. Besides safeguarding their primary email addresses, individuals can also rely on alias and masking services such as Apple’s “Hide My Email” as well as ProtonMail’s aliasing capabilities to protect their email addresses. 

With these tools, users create disposable addresses that protect their main accounts from harvesting attempts, which in turn reduces the risks they face in the future. Further, cybersecurity experts recommend that users watch out for subtle warning signs that can indicate that the sender's intentions are malicious: typographical errors, unusual domain structures, or the absence of HTTPS encryption on linked websites are all indications that the sender may be fraudulent. 

Using advanced measures, such as filtering rules granular to the individual, sandboxing technologies, and secure gateways, adds additional layers of defence against ever-evolving threats for business owners or professionals managing large volumes of email. Moreover, it is very important for users to make sure that they never submit their personal information or login credentials through any link they receive in an email without independently verifying the legitimacy of the request using trusted channels beforehand. 

The List-Unsubscribe header has become increasingly popular among reputable email providers and clients in the recent past. It is a discrete layer of metadata embedded in the structure of an email rather than being displayed in its visible content, and it is becoming a widely used feature. In this way, subscription management becomes more secure since unsubscribe requests are handled in the controlled environment of the email client itself, significantly reducing the risk of malicious manipulation in the future. 

The detail is seldom directly encountered by recipients, but it provides a solid foundation for safe unsubscribe options offered by trusted services such as Gmail, which connect users seamlessly to a wide range of verified mailing platforms, including Gmail. In order to ensure that any link embedded in an email is genuine, cybersecurity specialists strongly recommend conducting a deliberate assessment of the link. 

It is necessary for users to make sure that the web address corresponds precisely with the legitimate sender's domain and that HTTPS encryption is present, as this is a crucial safeguard for secure communication. By hovering the mouse over the link without clicking, one can see the true destination URL, which should be carefully reviewed. Deviations or the absence of secure protocols should be regarded as warning signs as a warning. 

Additionally, individuals can take further steps to prevent scams and harmful software by taking other measures beyond link inspections. Identifying questionable messages as spam allows email clients to automatically filter similar threats in the future by automatically filtering similar messages. Blocking the sender, on the other hand, prevents further correspondence and reduces ongoing threats. 

It is an effective method for compartmentalising risk in interactions with new or untrusted services by using disposable or alias email addresses to prevent exploitation of one's main inbox when dealing with new or untrusted services. Ultimately, it remains more important to be diligent than convenient when it comes to preventing spam and cyber threats in the ongoing effort to combat both. 

In spite of the fact that unsubscribe links might seem like a straightforward way to deal with unwanted emails, they are often utilised by malicious individuals to verify active email accounts, orchestrate phishing schemes, and spread malware. In order to improve the effectiveness of their defences, users should regularly verify the legitimacy of senders, carefully examine URLs, and use the secure unsubscribe feature built into reputable email platforms. 

There are countless dangers lurking beneath every "unsubscribe" button that users can protect their personal information and devices against in today's digital environment, so they must maintain awareness and exercise caution. As cybercriminals' tactics continue to evolve in both sophistication and subtlety, it has never been more important for individuals and organisations alike to take an active and informed approach to email security to be successful. 

It is more important for users to establish clear protocols for handling unsolicited messages than to rely on instinct or convenience. These protocols include implementing layered security tools, maintaining updated software, and teaching staff and family members about the nuances of digital hygiene, as well as educating them on how to handle unsolicited messages. 

By reviewing account activity, using strong password practices, and utilising multi-factor authentication, one can further reduce the risk of unauthorised access if credentials are compromised in the future. The process of verifying the legitimacy of email messages—no matter how routine it may seem—contributes in the end to a broader culture of caution and resilience. 

It is imperative that, in these times when the line between legitimate communication and exploitation becomes increasingly blurred, people cultivate a mindset of deliberate scrutiny as a means of protecting themselves.
Read more »
Threat Group
Cyber Fraud CyberCrime Cyberhackers CyberThreat Fake Resumes FIN6 Financial Breach Impersonation Attack Threat Group

Fake Resumes Become Weapon of Choice for FIN6 Threat Group

 


The FIN6 cybercrime group, which has been associated with financial breaches in the past, is now launching a sophisticated new campaign targeting corporate recruitment channels. The group, which is known as FIN6 cybercrime, has been associated with high-profile financial breaches for many years. Threat actors are now impersonating qualified job applicants by sending compelling resumes that have malicious payloads embedded in them.

In the majority of cases, these fraudulent applications are accompanied by links to phishing websites that appear legitimate, but are really just a way to trick human resources professionals into downloading malware or disclosing sensitive login information unknowingly. FIN6 uses the trust inherent in the hiring process in order to penetrate enterprise networks through human resources departments, which is regarded as a relatively low-risk vector by cybersecurity frameworks due to their trustworthiness. 

As soon as attackers gain access, they establish persistent backdoors that allow them to harvest credentials, gain access to unauthorised systems, and distribute ransomware or data exfiltration tools. In addition to highlighting the growing scope of social engineering threats, this campaign also exposes a critical omission in the cybersecurity sector, as threat actors exploit the urgency and volume of modern hiring practices as a way to bypass traditional technical defences in corporate security. 

With the rise of e-mail, job portals, and resume sharing platforms, the attack surface for organisations is becoming increasingly broader as they digitise their recruitment workflows. In light of FIN6's latest tactic, it is evident that cybersecurity must extend beyond IT departments and into every aspect of corporate operations—including human resources—in order to remain compliant. This cybercriminal group, known as FIN6, has begun using sophisticated social engineering techniques in their attacks on corporate recruiters, posing as job applicants to recruiters in a sophisticated variation of traditional social engineering tactics. 

Using persuasive resumes and embedded malicious links to phishing websites, the attackers aim to trick human resources personnel into installing malware under the guise of routine candidate screening, as the malware is disguised as a phishing website link. 

In this strategic pivot, the organisation demonstrates its growing reliance on psychological manipulation versus brute force technical intrusions, which capitalises on the inherent trust embedded within recruitment communications to boost the organisation's reputation. FIN6—also referred to in threat intelligence circles as "Skeleton Spider"—first gained attention for its financially motivated attacks, notably the compromise of point-of-sale (PoS) systems to obtain credit card information. 

It is estimated that the group, with its ever-evolving methods, has now expanded its operations to include ransomware attacks. The group collaborates with prominent ransomware strains like Ryuk and Locky to carry out this task. In its recent campaign, FIN6 has been observed to distribute a sophisticated malware-as-a-service (MaaS) tool known as More_eggs, a stealthy JavaScript-based backdoor known as More_eggs. 

Upon being installed, this malware facilitates unauthorised credential harvesting, remote system access, as well as the dissemination of ransomware as a launchpad. In addition to its ability to blend seamlessly into legitimate Windows processes, More_eggs can evade many traditional endpoint detection systems, which makes it especially dangerous. 

In the cyber threat landscape, this group's reliance on this payload highlights a wider trend that is taking place: the integration of social engineering with advanced malware delivery in order to circumvent layered security systems. It is widely known that FIN6 originated as a group that orchestrated large-scale breaches of retail point-of-sale (PoS) systems. 

It has continuously adjusted its tactics since becoming known in 2014 as one of the most dangerous cyber threat groups. Having been doing a deceptive job scam for years, this group has reimagined the classic job scam by building trust with recruiters, not by targeting job seekers as it does with job seekers. This calculated approach has been used to create phishing messages that mention resume links in plain text, rather than hyperlinks that can be clicked on. 

The recipient must manually enter the URLs into their browsers as a result of this, bypassing automated security filters that are designed to detect malicious links in emails. The domains that are used to advertise these campaigns are usually registered anonymously and constructed in a manner that mimics the names of job applicants, who are likely to be genuine or plausible. In spite of being hosted on Amazon Web Services' infrastructure, these sites resemble legitimate portfolios or resumes once accessed. 

Behind this facade lies a complicated web of sophisticated evasion methods, including traffic filtering mechanisms that are able to differentiate between human users and automated security crawlers, such as sandboxes. In addition to assessing criteria such as the use of residential IP addresses and browser behaviour that is consistent with the Windows environment, these filters also determine whether a user has successfully completed CAPTCHA challenges. Those users who satisfy all of the requirements are presented with a ZIP archive disguised in the form of a portfolio of the job applicant. 

In the archive is a malicious .lnk file that is crafted to look like a standard resume. When executed, the shortcut triggers the installation of More_eggs, a JavaScript backdoor associated with the cybercriminal Venom Spider. The stealthy malware allows attackers to access remote computer systems, enabling them to steal credentials, collect surveillance footage, and potentially deploy ransomware. 

FIN6 showed tremendous technical proficiency in the execution of this attack, showcasing FIN6’s profound understanding of cyber defence mechanisms as well as human psychology in order to demonstrate that organisations must implement cybersecurity awareness into all aspects of business operations — including human resources — in order to remain competitive. 

With the construction of its attack infrastructure, FIN6 has shown a high level of operational security and technical sophistication in the ongoing campaign. A series of domains have been registered by the group anonymously through GoDaddy, which were hosted on Amazon Web Services (AWS). This trusted cloud provider is rarely flagged by standard security solutions for security reasons. 

Through using Amazon Web Services' reputation and global infrastructure, FIN6 can make its malicious portfolio sites look legitimate, while evading traditional detection mechanisms by using Amazon Web Services' reputation and global infrastructure. As part of the campaign, domain names are cleverly chosen to coincide with the fake personas created by the attackers, thereby lending credibility to their phishing activities.

Examples include: bobbyweisman[.]com, emersonkelly[.]com, davidlesnick[.]com, kimberlykamara[.]com, annalanyi[.]com, bobbybradley[.]net, malenebutler[.]com, lorinash[.]com, alanpower[.]net, and edwarddhall[.]com. This unique design of each domain is intended to resemble the website or portfolio of a legitimate job candidate, aligning with recruiters' expectations as they look for candidates. 

The campaign is protected from discovery and analysis by FIN6's robust environmental fingerprinting and behavioral validation checks, which protect it from discovery and analysis. Typically, recruiters who access the site from their residential IP addresses on Windows systems are the only ones who are able to view the actual malicious content on the site. 

When attempted access is made through virtual private networks (VPNs), cloud-hosted environments, or non-Windows platforms such as Linux and macOS, decoy content is served to the victim, effectively reducing the chances that cybersecurity researchers and automated security tools will see the malicious payload. Those who meet the attacker's criteria are also asked to complete a fake CAPTCHA challenge as an extra layer of social engineering on the landing page. 

A ZIP archive presenting a resume is requested by the attacker once the page has been completed. In reality, the archive consists of a .lnk file that acts as a disguised Windows shortcut that launches the More_eggs malware upon execution. With the use of this JavaScript-based backdoor, threat actors can gain persistence, exfiltrate credentials, and possibly launch ransomware. FIN6’s strong understanding of digital trust signals is reflected in this campaign’s precise targeting and environmental filtering. This campaign has emerged as one of the most technically sophisticated phishing operations that has been seen over the past couple of years. 

Organisations must adopt a multilayered security strategy that incorporates both technical defences as well as human vigilance to effectively mitigate the risk posed by targeted social engineering campaigns such as those orchestrated by FIN6. The fact that human resources professionals and recruiting teams are increasingly being targeted by cybercriminals makes it imperative that they be able to stay informed about cybersecurity. 

The employees of the organisation who have regular contact with external emails and file attachments should receive comprehensive, role-specific security training. As part of this training, participants should learn to recognise phishing indicators, understand social engineering tactics, and understand the proper protocol for reporting suspicious activity, as well as understand the various types of phishing indicators. 

Technically, organisations need to ensure that sandboxing solutions are implemented that allow potentially malicious attachments to be safely exploded and analysed before they can be accessed on production systems through sandboxing solutions. Taking this proactive step can prevent malware from being executed disguised as legitimate files in the future.

A system administrator should also think about disabling or restricting the execution of .LNK shortcut files unless they serve a clearly defined and necessary business function. In addition, phishing attacks frequently exploit these file types as they offer a direct path to executing embedded scripts without being aware of them. 

There should be a strong policy implemented across departments that all downloaded files must be verified before they are opened, backed up by automated scanning tools whenever possible. In addition, it is important to invest in robust endpoint detection and response (EDR) systems. In these tools, the system behaviour is continuously monitored, anomalies are detected, and real-time action is taken to counter threats such as unauthorised downloads, lateral movement, or attempts to set up persistent backdoors are identified. 

It has been demonstrated that organisations can significantly reduce their exposure to advanced, socially engineered attacks through the use of technical safeguards and targeted user education, which will help them safeguard their critical business functions from compromise and reduce their exposure to advanced, socially engineered attacks. 

The sophistication of cyber threats, such as those deployed by FIN6, makes it imperative for organisations to take a strategic and forward-looking approach to protecting all business units, not just their IT infrastructure. Increasingly, cybercriminals are weaponising everyday workflows such as recruitment, requiring security to be embedded in the culture of all departments, particularly those seen as non-technical. 

Developing a culture of cyber resilience requires more than just reactive defences; it demands that proactive risk assessments, threat modelling, and interdepartmental collaboration become an integral part of ensuring cyber resilience. For enterprises to ensure that their defences are future-proof, they need to invest in adaptive security architectures that incorporate behavioural analytics, threat intelligence, and zero-trust access controls.

Recruitment and human resources technologies need to be evaluated from a security-first perspective, ensuring third-party job boards, resume processing platforms, and applicant tracking systems are also rigorously vetted. In order to stay on top of the changing threat landscape, internal processes should constantly be updated to reflect the evolving threat landscape as well as vendor partnerships. 

As the business world embraces the digital transformation of the enterprise, threat actors are also embracing the same. The FIN6 campaign provides a stark demonstration of how trust can be manipulated even in the most unexpected situations. 

Those organisations that are aware of this shift and that respond by building resilience at both a technological and human level will have a much better chance at defending their data as well as their reputation, operations, and long-term stability in an era where every click is accompanied by the consequences it entails.

Read more »
UK tax fraud
£47m HMRC loss Cyber Fraud cybercrime HMRC HMRC account lockdown HMRC phishing scam HMRC scam investigation identity theft UK PAYE accounts breach tax refund scam UK tax fraud

Phishing Scam Hits HMRC: £47M Lost, 100,000 Tax Accounts Affected—Officials Confirm No Loss to Individuals

 

HM Revenue and Customs (HMRC) has reported a loss of £47 million following a large-scale phishing scam that compromised approximately 100,000 individual tax accounts, members of Parliament were informed on Wednesday.

Senior HMRC officials appeared before the Treasury Committee, revealing that tens of thousands of people have either been notified or are in the process of being contacted after their accounts were suspended in response to the security breach. The attack, described as a case of "organised crime," began in 2023.

John-Paul Marks, HMRC’s chief executive, assured the committee that “It’s about 0.2% of the PAYE population, around 100,000 people, who we have written to, are writing to, to notify them that we detected activity on their PAYE account.”

He clarified that individual taxpayers—not businesses—were targeted, but “no financial loss to those individuals” has occurred.

Marks explained that the attackers used personal information acquired through phishing attempts outside of HMRC’s infrastructure. “This was organised crime phishing for identity data outwith of HMRC systems, so stuff that banks and others will also unfortunately experience, and then trying to use that data to create PAYE accounts to pay themselves a repayment and/or access an existing account,” he said.

The phishing campaign, which reached across international jurisdictions, has already led to several arrests, according to Marks.

Angela MacDonald, deputy chief executive and second permanent secretary at HMRC, disclosed that “at the moment, they’ve managed to extract repayments to the tune of £47m. Now that is a lot of money, and it’s very unacceptable.” However, she also emphasized HMRC’s broader protective measures, stating: “We have overall, in the last tax year, we actually protected £1.9bn worth of money which sought to be taken from us by attacks.”

MacDonald was firm in stating that the incident does not classify as a cyberattack: “We have not been hacked, we have not had data extracted from us.” She clarified that while this breach involved fraudulent use of external identity data, there was no infiltration of HMRC systems. “The ability for somebody to breach your systems and to extract data, to hold you to ransomware and all of those things, that is a cyber-attack. That is not what has happened here.”

HMRC has since taken corrective measures by locking affected accounts, deleting login credentials, and rectifying any inaccuracies in taxpayers’ records. Impacted individuals will receive official communication within three weeks.

Meanwhile, Marks noted that an unrelated outage had affected HMRC’s phone lines on Wednesday afternoon, but said this was purely “coincidental” and services would resume on Thursday.

An HMRC spokesperson reiterated the agency’s stance: “We’ve acted to protect customers after identifying attempts to access a very small minority of tax accounts, and we’re working with other law enforcement agencies both in the UK and overseas to bring those responsible to justice. This was not a cyber-attack – it involved criminals using personal information from phishing activity or data obtained elsewhere to try to claim money from HMRC. We’re writing to those customers affected to reassure them we’ve secured their accounts and that they haven’t lost any money.”

This revelation follows recent warnings to UK banks and payment providers to enhance anti-fraud systems amid a surge in international scam-related money transfers. New data indicates that 11% of 2024’s authorised push payment scam losses originated from cross-border transactions—nearly double that of 2023.
Read more »
Malware Attack
Cyber Fraud Cyber Scams cybercriminals data security Financial Fraud Hacking WhatsApp Malicious Code Malware Attack

WhatsApp Image Scam Uses Steganography to Steal User Data and Money

 

With over three billion users globally, including around 500 million in India, WhatsApp has become one of the most widely used communication platforms. While this immense popularity makes it convenient for users to stay connected, it also provides fertile ground for cybercriminals to launch increasingly sophisticated scams. 

A recent alarming trend involves the use of steganography—a technique for hiding malicious code inside images—enabling attackers to compromise user devices and steal sensitive data. A case from Jabalpur, Madhya Pradesh, brought this threat into the spotlight. A 28-year-old man reportedly lost close to ₹2 lakh after downloading a seemingly harmless image received via WhatsApp. The image, however, was embedded with malware that secretly installed itself on his phone. 

This new approach is particularly concerning because the file looked completely normal and harmless to the user. Unlike traditional scams involving suspicious links or messages, this method exploits a far subtler form of cyberattack. Steganography is the practice of embedding hidden information inside media files such as images, videos, or audio. In this scam, cybercriminals embed malicious code into the least significant bits of image data or in the file’s metadata—areas that do not impact the visible quality of the image but can carry executable instructions. These altered files are then distributed via WhatsApp, often as forwarded messages. 

When a recipient downloads or opens the file, the embedded malware activates and begins to infiltrate the device. Once installed, the malware can harvest a wide range of personal data. It may extract saved passwords, intercept one-time passwords, and even facilitate unauthorized financial transactions. What makes this form of attack more dangerous than typical phishing attempts is its stealth. Because the malware is hidden within legitimate-looking files, it often bypasses detection by standard antivirus software, especially those designed for consumer use. Detecting and analyzing such threats typically requires specialized forensic tools and advanced behavioral monitoring. 

In the Jabalpur case, after downloading the infected image, the malware gained control over the victim’s device, accessed his banking credentials, and enabled unauthorized fund transfers. Experts warn that this method could be replicated on a much larger scale, especially if users remain unaware of the risks posed by media files. 

As platforms like WhatsApp continue working to enhance security, users must remain cautious and avoid downloading media from unfamiliar sources. In today’s digital age, even an innocent-looking image can become a tool for cyber theft.
Read more »
User Security
Bribery Cyber Fraud Cypto Exchange Social Engineering Attack User Security

Coinbase Offers $20m Bounty to Take Down Perpetrators Behind Social Engineering Attack

 

Coinbase, a renowned cryptocurrency exchange, is offering a $20 million prize to anyone who can assist identify and bring down the culprits of a recent cyber-attack, rather than fulfilling their ransom demands. 

On May 15, Coinbase said that attackers bribed and recruited a group of rogue offshore support agents to steal client data and carry out social engineering attacks. The attackers intended to exploit the stolen data to imitate Coinbase and trick users into turning up their cryptocurrency holdings.

The US crypto firm was asked to pay a $20 million ransom to end the scam. However, Coinbase has openly refused to pay the ransom. Instead, it is collaborating with law enforcement and security sector experts to track down the stolen assets and hold those behind the scheme accountable. 

Coinbase introduced the 'Bounty' program, which includes the $20 million reward fund. The funds will be awarded to anyone who can offer information that leads to the arrest and conviction of the culprits responsible for the attack. 

Establishing safety protocols

Coinbase acted quickly against the insider offenders, firing them and reporting them to US and international law authorities. The crypto exchange will compensate consumers who were duped into sending funds to the perpetrators as a result of social engineering work. 

Furthermore, the crypto exchange suggested that it was putting in place additional measures, such as requesting extra ID checks for substantial withdrawals from flagged accounts and showing mandatory scam-awareness messages. 

The company is also expanding its support operations by establishing a new help hub in the United States and tightening security controls and monitoring across all sites. It is also strengthening its defences by investing more in insider threat detection and automated response, as well as replicating similar security risks to discover potential flaws. 

Coinbase is also working with law enforcement and the private sector to identify the attackers' addresses, allowing authorities to track down and perhaps recover the stolen assets. Finally, Coinbase wants to file criminal charges against those who carried out the cyberattack.
Read more »
Pop-ups
Call Center Call Center Scam CBI Cyber Fraud Cyber Scam Fake Calls Fake IT Support Financial Fraud Japan Pop-ups

CBI Uncovers Tech Support Scam Targeting Japanese Nationals in Multi-State Operation

 

The Central Bureau of Investigation (CBI) has uncovered a major international scam targeting Japanese citizens through fake tech support schemes. As part of its nationwide anti-cybercrime initiative, Operation Chakra V, the CBI arrested six individuals and shut down two fraudulent call centres operating across Delhi, Haryana, and Uttar Pradesh. 

According to officials, the suspects posed as representatives from Microsoft and Apple to deceive victims into believing their electronic devices were compromised. These cybercriminals manipulated their targets—mainly Japanese nationals—into transferring over ₹1.2 crore (approximately 20.3 million Japanese Yen) under the pretense of resolving non-existent technical issues. 

The investigation, carried out in collaboration with Japan’s National Police Agency and Microsoft, played a key role in tracing the culprits and dismantling their infrastructure. The CBI emphasized that international cooperation was vital in identifying the criminal network and its operations. 

Among those arrested were Ashu Singh from Delhi, Kapil Ghakhar from Panipat, Rohit Maurya from Ayodhya, and three Varanasi residents—Shubham Jaiswal, Vivek Raj, and Adarsh Kumar. These individuals operated two fake customer support centres that mirrored legitimate ones in appearance but were in fact used to run scams. 

The fraud typically began when victims received pop-up messages on their computers claiming a security threat. They were prompted to call a number, which connected them to scammers based in India pretending to be technical support staff. Once in contact, the scammers gained remote access to the victims’ systems, stole sensitive information, and urged them to make payments through bank transfers or by purchasing gift cards. In one severe case, a resident of Hyogo Prefecture lost over JPY 20 million after the attackers converted stolen funds into cryptocurrency. 

Language discrepancies during calls, such as awkward Japanese and audible Hindi in the background, helped authorities trace the origin of the calls. Investigators identified Manmeet Singh Basra of RK Puram and Jiten Harchand of Chhatarpur Enclave as key figures responsible for managing lead generation, financial transfers, and the technical setup behind the fraud. Harchand has reportedly operated numerous Skype accounts used in the scam. 

Between July and December 2024, the operation used 94 malicious Japanese-language URLs, traced to Indian IP addresses, to lure victims with fake alerts. The scheme relied heavily on social engineering tactics and tech deception, making it a highly sophisticated cyber fraud campaign with international implications.
Read more »
Postal Service
Amazon Brushing Scam customer privacy Cyber Fraud cyber threat Data Fraud data security Data Theft Postal Service

Brushing Scam Targets Amazon Customers with Unsolicited Packages and Hidden Cyber Threats

 

Ray Simmons was confused when he received an unexpected Amazon package containing beet chews. Initially, he thought it might be a joke from someone encouraging him to eat healthier. However, it turned out to be part of a broader scam known as “brushing,” where consumers receive unsolicited deliveries from online sellers attempting to manipulate product ratings and reviews. 

Brushing scams involve third-party sellers who send low-value goods to individuals whose names and addresses are often scraped from publicly available online sources. After the product is delivered, scammers use the recipient’s identity or create a fake account that resembles the recipient to leave positive reviews. These fake reviews can artificially boost a product’s credibility, helping it rank higher in search results and increasing sales. 

While receiving a free item might seem harmless, the scam carries hidden dangers. The U.S. Postal Inspection Service (USPIS) warns that these incidents indicate misuse of personal information. Even more concerning is the potential for packages to include QR codes, which might direct recipients to malicious websites. Scanning such codes can result in the installation of malware or the theft of personal data. 

The scam is a reminder that personal data is often accessible and can be exploited without a consumer’s knowledge. USPIS stresses the importance of not interacting with suspicious elements included in unsolicited packages. Inspector David Gealey noted that even though these items may appear insignificant, they are a signal that someone has unauthorized access to your personal information. 

Fortunately, the package Simmons received did not include a QR code. Nonetheless, he took immediate action by checking his Amazon and banking accounts for any signs of unauthorized access. This kind of vigilance is exactly what USPIS recommends for anyone in a similar situation. 

Authorities advise that recipients of such packages should not scan any QR codes or click on any related links. They also emphasize that there is no obligation to return unsolicited items. Instead, consumers should monitor their financial and e-commerce accounts for any suspicious activity and report the incident to local law enforcement, USPIS, or the Federal Trade Commission.  

Though brushing scams may appear to be minor nuisances, they reflect deeper issues related to data privacy and cyber fraud. Staying informed and cautious can help consumers protect themselves from further harm and support efforts to hold malicious actors accountable.
Read more »
Two Factor Authentication
Cyber Fraud Cybersecurity CyberThreat Database Breach SIM SIM- Swap SMS Two Factor Authentication

Two Factor Authentication Under Threat as Sim Swap Fraud Escalates Sharply


 

It has been estimated that SIM-swap fraud has increased by more than 1,000% in the United Kingdom in just a year, a shocking increase that has resulted from the recent surge in reported cases. Using newly released data from the National Fraud Database, it has been estimated that incidents increased from 289 in 2023 to almost 3,000 in 2024, a staggering 1,055% increase in incidents. 

It is clear from this sharp increase in cybercrime that a growing trend is emerging among cybercriminals who are increasingly exploiting the widespread adoption of two-factor authentication by businesses as a security measure to protect sensitive customer information. SIM-swap fraud, also known as sophisticated identity theft, is where fraudsters gain control of a victim's mobile phone number by transferring it to a new SIM card, usually without the victim's knowledge. 

When criminals hijack the phone number, they can intercept security codes sent via SMS and one-time passwords sent by SMS, thus gaining access to online banking, email, and other personal accounts protected by two-factor authentication (2FA), thereby gaining unauthorised access. In a world where businesses continue to heavily rely on mobile-based authentication to safeguard user data, this increasing threat underscores the urgent need for cybersecurity strategies that are more resilient and layered. 

There are critical concerns about the vulnerability inherent in current digital security protocols in light of the dramatic increase in such cases, and it is evident that cybercriminals are evolving their methods of bypassing these protocols as well. A serious warning has been issued by CIFAS, the most prominent fraud prevention organisation in the UK, regarding a dramatic increase in SIM-swap fraud reported through 2024, with a 1,055% increase reported in cases.

In its latest report, Fraudscape, which examines the UK's fraud landscape and presents a detailed and data-driven analysis of emerging threats, particularly among mobile and telecommunications companies, the organisation released the concerning figures, which are based on the latest figures. According to the National Fraud Database (NFD), there were nearly 3,000 incidents of SIM swaps that were registered during the year 2024, a significant increase over the previous year's 289 cases. 

Fraudsters acan illicitly transfer the victim's phone number SIM card in order totheir communication, which enaenablingeffectively take control of their communications. Criminals can intercept security verification codes, such as two-factor authentication codes, when they have access to a victim's calls and text messages. This allows them to perform more extensive fraud, including app takeovers, unauthorised account access, and a wider array of identity theft attacks. 

A new report, Fraudscape, indicates an unprecedented number of fraud cases will be filed with the National Fraud Agency (NFF) in 2024, demonstrating that fraud in all sectors has increased significantly. The telecommunications industry in particular has become a prime target, with identity fraud involving mobile services going up 87% year-on-year over the last five years alone. As a result of this surge, more than 16,000 new fraud cases have occurred in the industry, which suggests that stronger fraud defences within the industry are urgently needed. 

It is not uncommon for facility takeover fraud to be on the rise in the last few years, an insidious technique in which criminals seize complete control of an individual's financial and service accounts, compounding the problem. In 2024, the number of account takeover cases soared by 76%, with e-commerce and the telecommunications sectors bearing the greatest burden. During the year, nearly half (48%) of all account takeover incidents involving mobile phones were reported. 

As a result, reports of unauthorised upgrades to mobile phones soared by 96%, indicating that fraudsters are becoming increasingly sophisticated in their manipulation of telecom infrastructure to gain illicit benefits. In light of this upward trend in mobile-related fraud, it is clear that there is a growing threat landscape within the UK, prompting calls for urgent action and innovation to improve the digital security frameworks. 

SIM-swap fraud refers to a meticulously planned cybercrime that usually involves the acquisition of a victim's personal and financial information as a key part of the fraud scheme. This sensitive information, such as national identification numbers, mobile phone numbers, bank account numbers, and card details, is often collected by criminals through deceptive phishing schemes and sophisticated social engineering tricks. 

In other words, the scammer tricks victims into disclosing their credentials voluntarily by using fraudulent websites, impersonating them over phone calls, messages, or emails, or by a convincing impersonation over the phone. Once this information is in their possession, fraudsters proceed to make a SIM swap request or a number port-out request. The victim may have to convert their existing physical SIM card to an eSIM card with the same telecom provider, or they may have to transfer the number to another local operator. 

It is common for these requests to be performed remotely through the official apps provided by the telecom provider. This streamlines the process and allows criminals to circumvent in-person authentication procedures. It is important to know that in jurisdictions with advanced digital safeguards, a SIM swap is usually governed by a government-regulated electronic verification platform. Before any SIM replacements or number porting requests can be approved, identity authentication is required. 

The most common methods of verification include biometric authentication, secure login prompt approvals, or one-time authorisation codes; however, fraudsters have developed methods by which to exploit even these protective measures. An attacker commonly manipulates victims into unintentionally authorising the swap as a way to circumvent verification requirements. In the role of representatives from trusted organisations such as banks, telecom providers, or employers, they create urgent scenarios involving job applications, account updates, or fraud alerts by pretending to be representatives of such organisations. 

When victims are unaware of what is going on, they approve verification requests, allowing the fraudsters to gain control of their mobile numbers. After the SIM swap is completed, the victim's original SIM is deactivated, and then a new SIM card, which is now controlled by the fraudster, is activated. Utilising SMS-based two-factor authentication codes (2FA), which are commonly used for securing online accounts, financial services, and critical communications, the criminal can access all of the victim's information. This means that fraudsters can easily execute unauthorised transactions, gain access to sensitive digital platforms, and perpetrate identity-related crimes using these credentials, often without the victim being aware of it at all. 

Because SIM-swap fraud is an escalating threat that needs to be addressed in light of the rapid escalating threat, organisations as well as individuals must reassess their digital security practices and move away from relying exclusively on SMS authentication to protect themselves. Although two-factor authentication is an important layer of security, its dependence on mobile networks has become a critical vulnerability that cybercriminals are increasingly exploiting to their fullest extent. Businesses must adopt more secure methods of authentication, including biometric verification, authenticator apps, and hardware security keys, so that they can protect customer data and digital access points with greater security. 

Additionally, telecom providers must play a more proactive role in their customer verification protocols, monitor for unusual SIM activity, and make sure that SIM swaps and port-out requests are thoroughly checked through multi-step procedures. Additionally, policymakers and regulators should consider putting in place stronger safeguards across the sector, including a uniform standard for digital identity verification and a real-time fraud alert system. 

Consumers must become aware of the risks associated with cybercrime to defend themselves. In addition to remaining vigilant against SIM tampering, individuals must avoid sharing sensitive personal information online or during unsolicited calls and report any loss of mobile service or suspicious activity of their accounts immediately. To counter fraud on a multi-layered scale, there must be an equally dynamic response rooted in education, innovation, and collaboration across all levels of the digital ecosystem. A concerted effort is required if the UK's digital economy is to continue to thrive in the face of this growing and extremely intrusive threat - and the wider digital economy as a whole.
Read more »
User Security
blob URIs Cyber Fraud Fake Login Phishing Campaign User Security

Cybercriminals Employ Display Fake Login Pages in Your Browser

 

Cofense Intelligence cybersecurity researchers have discovered a new and increasingly successful technique that attackers are using to deliver credential phishing pages straight to users' email inboxes. 

This technique, which first surfaced in mid-2022, makes use of "blob URIs" (binary large objects-Uniform Resource Identifiers), which are addresses that point to temporary data saved by your internet browser on your own computer. Blob URIs have legitimate uses on the internet, such as YouTube temporarily storing video data in a user's browser for playback.

A key feature of blob URIs is their localised nature; that is, a blob URI created by one browser cannot be viewed by another, even on the same device. This inherent privacy feature, while advantageous for legal online services, has been abused by attackers for malicious objectives.

Cofense Intelligence's report, which was shared with Hackread.com, claims that security systems that monitor emails are unable to easily detect the malicious phoney login pages since Blob URI data isn't on the regular internet. As a result, the link in a phishing email does not lead directly to a fraudulent website. Instead, it directs you to a real website that the security systems trust, such as OneDrive from Microsoft. 

Subsequently, the user is directed to an attacker-controlled hidden webpage. The phoney login page is then created in your browser by this hidden website using a blob URI. This page can steal your username and password and send it to the cybercriminals even though it is only saved on your system. 

This poses a challenge for automated security systems, particularly Secure Email Gateways (SEGs), which analyse website content to detect phishing efforts, the researchers explained. AI-powered security models may not yet be sufficiently trained to differentiate between benign and malevolent usage due to the novelty of phishing attacks employing blob URIs. 

The lack of pattern recognition makes automated detection more difficult and raises the possibility that phishing emails will evade protection, especially when paired with the popular attacker technique of employing several redirects.

Cofense Intelligence has detected many phishing attempts using this blob URI method, with lures aimed to fool users into logging in to fraudulent versions of popular services such as OneDrive. These entices include notifications of encrypted messages, urges to access Intuit tax accounts, and financial institution alerts. Regardless of the many initial pretexts, the overall attack flow is similar.

Researchers worry that this sort of phishing may become more common due to its ability to bypass security. As a result, even if links in emails appear to lead to legitimate websites, it is critical to exercise caution and double-check before entering your login details. Seeing "blob:http://" or "blob:https://" in the webpage address may indicate this new trick.
Read more »
User Privacy
Cyber Fraud IT Help Desk Marks & Spencer Social Engineering User Privacy

M&S Hackers Conned IT Help Desk Workers Into Accessing Firm Systems

 

Hackers who attacked Marks & Spencer and the Co-op duped IT professionals into giving them access to their companies' networks, according to a report.

The "social engineering" attack on the Co-op allowed fraudsters to reset an employee's password before infiltrating the network, and a similar method was employed against M&S, insiders told BleepingComputer. 

Hundreds of agency workers at Marks & Spencer were advised not to come to work as the retailer grappled with the aftermath of a hack that cost the business £650 million in a matter of days. 

The disruption started in April when click-and-collect orders and contactless payments were impacted. Stuart Machin, the CEO of M&S, confirmed the issue in a message to customers, stating that the retailer would be making "minor, temporary changes" to in-store operations while it dealt with the ongoing "cyber incident.” 

In order to counter the "social engineering" tactic employed by the hackers from the Scattered Spider network against the UK supermarkets, the National Cyber Security Centre (NCSC) has released new guidelines. 

“Criminal activity online — including, but not limited to, ransomware and data extortion — is rampant. Attacks like this are becoming more and more common. And all organisations, of all sizes, need to be prepared,” noted Jonathon Ellison, NCSC’s national resilience director, and Ollie Whitehouse, its chief technology officer, in a blog post. 

They have recommended firms to "review help desk password reset processes" and pay special attention to "admin" accounts, which typically have more access to a company's network. 

The Scattered Spider network is a group of young guys from the UK and the United States who gained popularity in September 2023 when they broke into and locked up the networks of casino companies Caesars Entertainment and MGM Resorts International, demanding large ransoms. 

Caesars paid approximately $15 million to rebuild its network. It specialises in "breaking down the front door" of networks before passing control to a "ransomware" group, which cripples the network and extorts its owner, according to the Times. 

Tyler Buchanan, a Scottish man accused of being a key member of the organisation, was extradited to the United States from Spain last month after being charged with attempting to hack into hundreds of companies, Bloomberg News reported, citing a US Justice Department official.

At the time of the assault, M&S stated that it is "working extremely hard to restart online and app shopping" and apologies for the inconvenience to customers. It has already been unable to process click and collect orders in stores due to the "cyber incident".
Read more »
takedown
Cyber Fraud Cyberattack CyberCrime Cybersecurity digitalcrime Europol Fraud Hacking LabHost LabRat lawenforcement phishing phishingkits phishingtools takedown

Global Cybercrime Crackdown Dismantles Major Phishing-as-a-Service Platform ‘LabHost’

 

In a major international crackdown, a law enforcement operation spearheaded by the London Metropolitan Police and coordinated by Europol has successfully taken down LabHost, one of the most notorious phishing-as-a-service (PhaaS) platforms used by cybercriminals worldwide.

Between April 14 and April 17, 2024, authorities carried out synchronized raids across 70 different sites globally, resulting in the arrest of 37 individuals. Among those arrested were four suspects in the UK believed to be the platform’s original creators and administrators. Following the arrests, LabHost’s digital infrastructure was completely dismantled.

LabHost had gained infamy for its ease of use and wide accessibility, making it a go-to cybercrime tool. The service offered more than 170 fake website templates imitating trusted brands from the banking, telecom, and logistics sectors—allowing users to craft convincing phishing campaigns with minimal effort.

According to authorities, LabHost supported over 40,000 phishing domains and catered to approximately 10,000 users across the globe. The coordinated enforcement effort was supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), with 19 countries actively participating in the investigation.

LabHost showcased how cybercrime has become industrialized through subscription-based platforms. For a monthly fee of around $249, subscribers could access phishing kits, fraudulent websites, hosting services, and even tools to interact with victims in real-time.

One of its most dangerous features was LabRat, an integrated dashboard that enabled users to monitor ongoing phishing attacks. This tool also allowed cybercriminals to intercept two-factor authentication codes and login credentials, effectively bypassing modern security measures.

Its user-friendly interface eliminated the need for technical skills—opening the door for anyone with malicious intent and a credit card to launch sophisticated phishing schemes. The platform's popularity contributed to a spike in identity theft, financial fraud, and widespread data breaches.

Authorities hailed the takedown as a milestone in the fight against cybercrime. However, they also cautioned that the commoditization of cybercrime remains a serious concern.

"This is a critical blow to phishing infrastructure," cybersecurity experts said, "but the ease of recreating similar platforms continues to pose a major threat."

Following the seizure of LabHost’s backend systems, law enforcement agencies have begun analyzing the data to identify the perpetrators and their victims. This will mark the beginning of a new wave of investigations and preventative measures.

The operation involved agencies from 19 countries, including the FBI and Secret Service from the United States, as well as cybercrime units in Canada, Germany, the Netherlands, Poland, Spain, Australia, and the UK. This unprecedented level of international cooperation highlights the cross-border nature of cyber threats and the importance of unified global action.

As authorities prepare for a fresh wave of prosecutions, the LabHost takedown stands as a defining moment in cyber law enforcement—both in its impact and its symbolism.
Read more »
Subscribe to: Posts (Atom)