Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Fake Login. Show all posts
Vishing
Cloud systems Credentials Stolen Cyber Attacks Extortion Fake Login phishing saaS Vishing

Hackers Target Cloud Apps Using Phone Scams and Login Tricks



Cybersecurity researchers have identified two threat groups that are executing fast-moving attacks almost entirely within software-as-a-service environments, allowing them to operate with very little visible trace of intrusion.

The groups, tracked as Cordial Spider and Snarky Spider, are also known by multiple alternate identifiers across different security vendors. Investigations show that both groups are involved in high-speed data theft followed by extortion attempts, and their methods show a strong overlap in how operations are carried out. Analysts assess that these groups have been active since at least October 2025. One of them is believed to be composed of native English speakers and is linked to a cybercrime network widely referred to as “The Com.”

According to findings from CrowdStrike, these attackers primarily rely on voice phishing, also known as vishing, to initiate their intrusions. In these cases, individuals are contacted and guided toward fraudulent login pages that are designed to imitate single sign-on systems. These pages act as adversary-in-the-middle setups, meaning they intercept and capture authentication data, including login credentials and session details, as the victim enters them. Once this information is obtained, attackers immediately use it to access SaaS applications that are connected through single sign-on integrations.

Researchers explain that the attackers deliberately operate within trusted SaaS platforms to avoid raising suspicion. Because their activity takes place inside legitimate services already used by organizations, their presence generates fewer detectable signals. This allows them to move quickly from initial compromise to data access. The combination of speed, targeted execution, and reliance on SaaS-only environments makes it harder for defenders to monitor and respond effectively.

Earlier research published in January 2026 by Mandiant revealed that these attack patterns represent a continuation of tactics seen in extortion-focused campaigns linked to the ShinyHunters group. These operations involve impersonating IT staff during phone calls to build trust with victims, then directing them to phishing pages in order to collect both login credentials and multi-factor authentication codes.

More recent analysis from Palo Alto Networks Unit 42 and the Retail & Hospitality ISAC indicates, with moderate confidence, that one of the identified clusters is associated with The Com network. These attacks rely heavily on living-off-the-land techniques, where attackers use legitimate system tools instead of introducing malware. They also make use of residential proxy networks to mask their real geographic location and to evade basic IP-based security filtering systems.

Since February 2026, activity linked to one of these clusters has been directed toward organizations in the retail and hospitality sectors. The attackers combine vishing calls, often impersonating IT help desk personnel, with phishing websites designed to capture employee credentials.

Once access is established, the attackers take steps to maintain long-term control. They register a new device within the compromised account to ensure continued access, and in many cases remove previously registered devices. After doing so, they modify email settings by creating inbox rules that automatically delete notifications related to new device logins or suspicious activity, preventing the legitimate user from being alerted.

Following initial access, the attackers shift their focus toward accounts with higher privileges. They collect internal information, such as employee directories, to identify individuals with elevated access and then use further social engineering techniques to compromise those accounts as well. With increased privileges, they move across SaaS platforms including Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce, searching for sensitive documents and business-critical data. Any valuable information is then exfiltrated to infrastructure controlled by the attackers.

Researchers note that in many observed cases, the stolen credentials provide access to the organization’s identity provider, which acts as a central authentication system. This creates a single entry point into multiple SaaS applications. By exploiting the trust relationships between the identity provider and connected services, attackers are able to move across the organization’s cloud ecosystem without needing to compromise each application separately. This allows them to access multiple systems using a single authenticated session.


Read more »
Scams
Alert Cyber Security Fake Login Google Microsoft Scams

Security Alerts or Scams? How to Spot Fake Login Warnings and Protect Your Accounts

 

Your phone buzzes with a notification: “Unusual login activity detected on your account.” It’s enough to make anyone uneasy. But is it a genuine alert about a hacking attempt, or could the message itself be a trap?

Notifications from major platforms like Google, Microsoft, Amazon, or even your bank can be both helpful and risky. While they act as an early warning system against unauthorized access, cybercriminals often exploit this sense of urgency. Fake alerts are designed to trick users into clicking on malicious links and entering sensitive information on fraudulent login pages. Acting impulsively in such moments can unintentionally give attackers access to your accounts.

Understanding Security Alerts

Not every alert signals a compromised account. Many platforms rely on advanced monitoring systems that flag unusual behaviour before any real damage occurs.

These systems may detect:
  • Multiple failed login attempts from different locations
  • Automated attacks using leaked credentials
  • Logins from unfamiliar devices or IP addresses
In many cases, a blocked login attempt simply means the system is working as intended—not that your account has already been breached.

The 3-Second Test: Spotting Real vs Fake Messages

Before clicking on any alert, pause and verify. Even AI-generated phishing emails often fail basic checks:

1. The Sender Check
Always look beyond the display name. Verify the actual email address and domain. Fraudsters often use slight variations like “amazon-support.co.uk” or “service@paypal-hilfe.com
” to appear legitimate.

2. The Hover Trick
On a computer, hover your cursor over any link without clicking. The true destination URL will appear. If it doesn’t match the official website, delete the email immediately.

3. Watch for Panic Tactics
Be cautious of urgent messages such as:
“Act within 10 minutes or your account will be irrevocably deleted!”
Legitimate companies don’t pressure users this way—urgency is a common scam tactic.

Golden Rule: Never click directly from the email. Instead, open your browser, manually type the official website, and log in. If there’s a real issue, it will be visible in your account dashboard.

Using the same password across multiple platforms increases risk. A breach on one website can trigger a domino effect, allowing attackers to access other accounts using the same credentials

The Role of Password Managers

Password managers offer a simple yet powerful solution:

  1. Unique Passwords: They generate strong, complex passwords for each account, ensuring one breach doesn’t compromise everything.
  2. Built-in Phishing Protection: These tools only autofill credentials on legitimate websites, helping you avoid fake login pages.

Tools like Dashlane provide a comprehensive password management experience with seamless autofill and secure password generation. Meanwhile, Bitwarden stands out as a reliable open-source option with robust free features.

Security alerts aren’t always bad news, they often indicate that protective systems are doing their job. The real risk lies in reacting without verification.

By using a password manager and enabling two-factor authentication, you can significantly strengthen your defenses and keep your digital identity secure
Read more »
User Security
blob URIs Cyber Fraud Fake Login Phishing Campaign User Security

Cybercriminals Employ Display Fake Login Pages in Your Browser

 

Cofense Intelligence cybersecurity researchers have discovered a new and increasingly successful technique that attackers are using to deliver credential phishing pages straight to users' email inboxes. 

This technique, which first surfaced in mid-2022, makes use of "blob URIs" (binary large objects-Uniform Resource Identifiers), which are addresses that point to temporary data saved by your internet browser on your own computer. Blob URIs have legitimate uses on the internet, such as YouTube temporarily storing video data in a user's browser for playback.

A key feature of blob URIs is their localised nature; that is, a blob URI created by one browser cannot be viewed by another, even on the same device. This inherent privacy feature, while advantageous for legal online services, has been abused by attackers for malicious objectives.

Cofense Intelligence's report, which was shared with Hackread.com, claims that security systems that monitor emails are unable to easily detect the malicious phoney login pages since Blob URI data isn't on the regular internet. As a result, the link in a phishing email does not lead directly to a fraudulent website. Instead, it directs you to a real website that the security systems trust, such as OneDrive from Microsoft. 

Subsequently, the user is directed to an attacker-controlled hidden webpage. The phoney login page is then created in your browser by this hidden website using a blob URI. This page can steal your username and password and send it to the cybercriminals even though it is only saved on your system. 

This poses a challenge for automated security systems, particularly Secure Email Gateways (SEGs), which analyse website content to detect phishing efforts, the researchers explained. AI-powered security models may not yet be sufficiently trained to differentiate between benign and malevolent usage due to the novelty of phishing attacks employing blob URIs. 

The lack of pattern recognition makes automated detection more difficult and raises the possibility that phishing emails will evade protection, especially when paired with the popular attacker technique of employing several redirects.

Cofense Intelligence has detected many phishing attempts using this blob URI method, with lures aimed to fool users into logging in to fraudulent versions of popular services such as OneDrive. These entices include notifications of encrypted messages, urges to access Intuit tax accounts, and financial institution alerts. Regardless of the many initial pretexts, the overall attack flow is similar.

Researchers worry that this sort of phishing may become more common due to its ability to bypass security. As a result, even if links in emails appear to lead to legitimate websites, it is critical to exercise caution and double-check before entering your login details. Seeing "blob:http://" or "blob:https://" in the webpage address may indicate this new trick.
Read more »
Spam Notification
Cyber Attacks Fake Login MFA Fatigue Attacks Notifications Spam Notification

Users Duped into Enabling Device Access Due to Overload of Push Notifications

 

Malicious hackers are initiating a new wave of 'MFA fatigue attacks,' in which they bombard victims with 2FA push alerts in an attempt to mislead them into authenticating their login attempts. 

According to GoSecure experts, who have warned that attacks that take advantage of human behaviour to get access to devices are on the upswing. Adversaries employ multi-factor authentication (MFA) fatigue to bombard a user's authentication app with push notifications in the hopes that they will accept and so allow an attacker to obtain access to an account or device. GoSecure described the assault as "simple" in a blog post earlier this week, noting that "it only requires the attacker to manually, or even automatically, send repeated push notifications while trying to log into the victim’s account”. 

Further, it added, “Once the attacker obtains valid credentials, they will perform the push notification spamming repeatedly until the user approves the login attempt and lets the attacker gain access to the account. This usually happens because the user is distracted or overwhelmed by the notifications and, in some cases, it can be misinterpreted as a bug or confused with other legitimate authentication requests.” 

The attack is exceptionally effective, according to GoSecure, not because of the technology involved, but because it exploits the human component through social engineering. 

Researchers wrote, “Many MFA users are not familiar with this type of attack and would not understand they are approving a fraudulent notification. Others just want to make it disappear and are simply not aware of what they are doing since they approve similar notifications all the time. They can’t see through the ‘notification overload’ to spot the threat.” 

The approach has been seen in the wild in recent years, including during a 2021 campaign in which Russian operators were seen sending push alerts to Office 365 users. Threat actors were spotted performing repeated authentication attempts in short succession against accounts secured with MFA, according to Mandiant research. 

A blog post reads, “In these cases, the threat actor had a valid username and password combination. Many MFA providers allow users to accept a phone app push notification or to receive a phone call and press a key as a second factor. The threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.” 

The researchers also explained how an Office 365 user might detect numerous push notification attempts and how to protect themselves from such assaults. For example, a user might set the MFA service's default limits to allow a specific number of push notification attempts in a certain amount of time. 

GoSecure explained, “In this scenario, a unique two-digit number is generated and must be confirmed on both sides. This is very hard for an attacker to compromise since the attacker is shown a number that must be guessed in the phone (which the attacker doesn’t have access to)." Finally, a “radical move, but a quick solution” could be to disable the push notifications entirely. 

GoSecure also warned, “As app-based authentication mechanisms are being adopted increasingly as a safer way to authenticate a user (versus SMS or phone call) it is expected that this tendency will grow in the future, even be encouraged by Microsoft itself.”
Read more »
Subscribe to: Posts (Atom)