CyberSecurity news
FlagThis - #phishing
|
@www.microsoft.com - 14d
Multiple Russian threat actors have been identified targeting Microsoft 365 accounts using a device code authentication phishing technique. These attacks, observed since mid-January 2025, involve social engineering and spear-phishing campaigns, often disguised as communications from reputable organizations like the U.S. Department of State and the Ukrainian Ministry of Defence. Volexity has observed these campaigns targeting organizations to compromise Microsoft 365 accounts.
Microsoft Threat Intelligence Center has also discovered an active and successful device code phishing campaign by a threat actor tracked as Storm-2372, active since August 2024. The attacker creates lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. Targets include government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East. Microsoft assesses with medium confidence that Storm-2372 aligns with Russian interests, victimology, and tradecraft. Recommended read:
References :
info@thehackernews.com (The Hacker News)@The Hacker News - 49d
Cybercriminals are exploiting the CrowdStrike brand by distributing a cryptominer through fake job offers. A phishing campaign has been identified where malicious actors pose as legitimate recruiters, luring job seekers with fraudulent promises of employment. Victims receive emails mimicking CrowdStrike's recruitment process, directing them to a malicious website. This site prompts them to download a fake “employee CRM application.” Despite offering download options for Windows and macOS, the site delivers a Windows executable, regardless of the user's selection.
This executable is a downloader for XMRig, a known cryptomining malware, written in Rust. Before deploying the cryptominer, the malware employs several checks to evade detection. These include verifying the presence of a debugger, analyzing active processes, and validating that the system has at least two CPU cores. Once these checks pass, a fake error message is displayed before downloading the XMRig miner. The malware achieves persistence by dropping a batch script into the Start Menu Startup directory and creating a Windows Registry logon entry. Once active, the miner uses the victim's system resources to generate cryptocurrency for the attackers, potentially causing overheating and damage to the victim's device. Recommended read:
References :
Bill Toulas@BleepingComputer - 70d
A new phishing-as-a-service platform named "FlowerStorm" is rapidly gaining traction, filling the void left by the recent shutdown of the Rockstar2FA cybercrime service. This platform is specifically designed to target Microsoft 365 accounts, allowing threat actors to easily create and deploy phishing campaigns. FlowerStorm's emergence indicates a rise in sophisticated, automated attacks aimed at Microsoft users.
These campaigns, some of which have recently targeted 20,000 users across the UK and Europe, often use tactics such as Docusign lures to attempt Azure account takeovers. The platform enables attackers to steal credentials and maintain persistent access to the cloud environment, potentially leading to data theft and extortion. This highlights the growing sophistication of cybercriminals and the ease with which they can launch complex phishing schemes. Recommended read:
References :
@PCWorld - 10d
A new variant of the Snake Keylogger malware is actively targeting Windows users, with over 280 million infection attempts detected globally. Cybersecurity researchers have identified this version, also known as the 404 Keylogger, as AutoIt/Injector.GTY!tr. The primary targets include users in China, Turkey, Indonesia, Taiwan, and Spain, where the malware spreads through phishing emails containing malicious attachments or links. The keylogger steals credentials from popular web browsers like Chrome, Edge, and Firefox by logging keystrokes, capturing screenshots, and monitoring the clipboard.
The stolen data, including sensitive information and credentials, is then exfiltrated to its command-and-control (C2) server through various methods, including SMTP email and Telegram bots. The malware utilizes AutoIt, a scripting language frequently used for Windows automation, to deliver and execute its malicious payload. By using AutoIt, the malware can create standalone executables that may bypass standard antivirus solutions. Once executed, the keylogger copies itself to the %Local_AppData%\supergroup folder, names itself ageless[.]exe, and sets its attributes to hidden and creates “ageless.vbs” in the %Startup% folder. Recommended read:
References :
@www.bleepingcomputer.com - 7d
The Darcula phishing-as-a-service (PhaaS) platform is set to launch its third major version, Darcula 3.0, offering cybercriminals unprecedented capabilities. A key feature is the ability for even tech-illiterate individuals to create and deploy do-it-yourself phishing kits targeting any brand globally. This is made possible through browser automation tools like Puppeteer and Headless Chrome, allowing users to clone legitimate websites and inject malicious content with minimal effort. The platform also simplifies the creation of phishing kits by extracting assets and HTML structure from targeted brand websites, enabling fraudsters to customize templates and generate multi-step pages for data collection, such as payment details and two-factor authentication codes.
The updated Darcula platform includes a user-friendly interface that automates the creation of phishing kits. The final product is exported as a “.cat-page” bundle, deployable via Darcula’s admin panel. The admin panel, resembling legitimate Software-as-a-Service (SaaS) platforms, provides dashboards to manage stolen data, monitor campaigns, and configure advanced deception techniques. Built using technologies like Docker, React, and SQLite, it offers IP filtering, web crawler blocking, and device-specific access restrictions to evade detection. The platform also facilitates monetization of stolen data by enabling fraudsters to generate virtual cards from compromised payment details. Recommended read:
References :
Veronika Telychko@SOC Prime Blog - 2d
Criminal group UAC-0173 is actively targeting Ukrainian notaries in a series of cyberattacks. These attacks, which have been ongoing since mid-January 2025, involve the use of DARKCRYSTALRAT malware. The cybercriminals are exploiting RDP tools to breach Ukraine's notarial offices, aiming to manipulate state registers. CERT-UA has issued an alert, CERT-UA#13738, regarding these activities.
SOC Prime has released Sigma rules to detect UAC-0173 attacks leveraging DARKCRYSTALRAT malware, providing cybersecurity professionals with tools to identify and mitigate these threats. These attacks by UAC-0173 highlight the ongoing cyber warfare impacting critical infrastructure and organizations within Ukraine. CERT-UA reports Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices. Recommended read:
References :
Mels Dees@Techzine Global - 87d
Cybercriminals are exploiting Cloudflare's Pages (.dev) and Workers (.dev) platforms for malicious activities, leveraging Cloudflare's trusted reputation to enhance the success of their attacks. These platforms, intended for legitimate web development and deployment, are being misused to host phishing attacks, malicious web pages, and targeted email lists. This abuse highlights the risk of attackers leveraging reputable services for nefarious purposes, thereby increasing the likelihood of unsuspecting users falling victim to their schemes. The attackers are exploiting Cloudflare's global reach and security features to make their phishing campaigns appear more legitimate and harder to detect.
Security analysts at FORTRA have reported an explosive growth in phishing attacks utilizing Cloudflare Pages and Workers. Specifically, a 198% increase in attacks targeting Cloudflare Pages and a 104% surge in attacks against Cloudflare Workers were observed. These attacks utilize various techniques, including the use of bccfoldering to hide recipient lists in email campaigns and the creation of CAPTCHA-like human verification pages to add an air of legitimacy to phishing attempts. The ease of use and free hosting offered by Cloudflare, combined with features like SSL/TLS encryption, custom domains, and URL masking, make these platforms particularly attractive to malicious actors. The increasing abuse of Cloudflare's developer domains underscores the need for enhanced security measures and vigilance. Attackers are taking advantage of Cloudflare's trusted infrastructure and reverse proxy capabilities to make their attacks more difficult to trace and detect. This highlights the challenge of balancing the benefits of accessible developer platforms with the need to mitigate their potential for misuse. The significant increase in phishing attacks using these platforms emphasizes the urgency for both Cloudflare and users to adapt to this evolving threat landscape and implement stronger protective measures. Recommended read:
References :
Zeljka Zorz@Help Net Security - 72d
A sophisticated phishing campaign has compromised approximately 20,000 Microsoft Azure accounts in Europe, primarily targeting manufacturing companies. The attackers used HubSpot’s Free Form Builder to create deceptive forms and DocuSign files, which were used in phishing emails to steal Microsoft Azure login credentials. This operation spanned from June to September 2024 and mainly affected firms in the automotive, chemical, and industrial sectors in Germany and the UK. The attackers aimed for long-term presence in the Azure cloud environments.
Recommended read:
References :
@securityonline.info - 13d
A sophisticated phishing campaign is underway, abusing the Webflow content delivery network (CDN) to steal credit card data and commit financial fraud. Attackers are hosting fake PDF documents on Webflow, embedded with CAPTCHA images and a real Cloudflare Turnstile CAPTCHA, to deceive users and evade detection by static scanners. This scheme targets individuals searching for documents on search engines, redirecting them to malicious PDFs.
These PDF files mimic a CAPTCHA challenge, prompting users to click and complete a genuine Cloudflare CAPTCHA, creating a false sense of security. Upon completion, victims are redirected to a page requesting personal and credit card details to "download" the supposed document. After entering their credit card details, users receive an error message, and repeated submissions lead to an HTTP 500 error page, while the attackers already have their information. Recommended read:
References :
Daniel Kelley@SlashNext - 15d
A new phishing kit named Astaroth has emerged as a significant threat, targeting Microsoft, Gmail, Yahoo, AOL, Office 365, and other third-party login services. It uses an evilginx-style reverse proxy to perform man-in-the-middle attacks, enabling it to bypass two-factor authentication (2FA). Discovered on cybercrime marketplaces, Astaroth employs advanced techniques like session hijacking and real-time credential interception to dynamically retrieve authorization tokens, 2FA tokens, and session cookies, unlike traditional phishing tools.
Astaroth operates by redirecting victims to malicious servers mimicking legitimate login pages, complete with SSL certificates to avoid raising security warnings. The kit intercepts traffic in real-time, capturing login credentials and 2FA tokens before forwarding them to the legitimate server. Key features include bulletproof hosting and continuous updates for six months. It is marketed as an easy-to-use, 2-in-1 solution, costing $2000, and even includes pre-purchase testing to demonstrate its effectiveness in real-world attacks. Recommended read:
References :
Aman Mishra@gbhackers.com - 3d
Google, in collaboration with its Mandiant Threat Intelligence team, has issued a warning about a surge in phishing campaigns targeting higher education institutions in the United States. These campaigns, observed since August 2024, have exploited the academic calendar and institutional trust to deceive students, faculty, and staff. The attacks have been linked to a broader campaign dating back to at least October 2022, targeting thousands of users monthly.
The phishing attacks are strategically timed to coincide with key academic events such as the start of the school year and financial aid deadlines. Attackers have tricked victims into revealing sensitive credentials and financial information by leveraging these high-pressure periods. The campaigns employ various tactics, including hosting malicious Google Forms on compromised university domains and cloning university login portals to carry out payment redirection attacks. Google is addressing security concerns surrounding SMS 2FA codes by replacing Gmail’s SMS authentication with QR codes in the coming months. Recommended read:
References :
Swagta Nath@The420.in - 9h
Cybersecurity firm Prodaft reports that a cyber threat actor known as EncryptHub, also called Larva-208, has compromised at least 618 organizations globally since June 2024. The group conducts widespread spear-phishing and social engineering campaigns to infiltrate corporate networks, employing tactics like SMS phishing (smishing), voice phishing (vishing), and email phishing. These campaigns aim to steal credentials and ultimately deploy ransomware on victim systems.
EncryptHub uses sophisticated techniques, including impersonating IT personnel to trick employees into divulging VPN credentials or installing Remote Monitoring and Management (RMM) software. The group has also registered over 70 domain names mimicking VPN services to enhance the credibility of their phishing attacks. Once inside a network, EncryptHub deploys info-stealing malware and ransomware, like their proprietary Locker.ps1 which uses AES encryption to lock files and demands cryptocurrency payments. Recommended read:
References :
@www.bleepingcomputer.com - 9d
A new JavaScript obfuscation technique has been discovered and is being actively used in phishing attacks. Juniper Threat Labs identified the technique targeting affiliates of a major American political action committee (PAC) in early January 2025. The method leverages invisible Unicode characters to represent binary values, effectively concealing malicious JavaScript code within seemingly harmless text.
This obfuscation technique was first demonstrated in October 2024, highlighting the speed with which such research can be weaponized in real-world attacks. The encoding uses two different Unicode filler characters, the Hangul half-width and Hangul full width, to represent the binary values 0 and 1. This allows attackers to hide entire payloads invisibly within a script, which is then executed through a Proxy get() trap. Security researchers have posted methods to decode this encoded JavaScript into readable form. Recommended read:
References :
@ciso2ciso.com - 30d
A new TorNet backdoor has been discovered being spread through an ongoing phishing campaign. This malicious campaign is targeting primarily users in Poland and Germany, utilizing phishing emails written in Polish and German. These emails impersonate financial institutions and manufacturing companies, containing malicious attachments in .tgz format. When opened, a .NET loader executes, downloading the PureCrypter malware, which is then used to deploy multiple payloads. These payloads include Agent Tesla, Snake Keylogger, and the new TorNet backdoor itself.
The TorNet backdoor is particularly concerning as it establishes a connection to a command and control server via the TOR network for stealthy communications, making detection more difficult. The malware is also being distributed through an ongoing campaign and exploits Windows Scheduled Tasks to achieve persistence, including on systems with low battery. These sophisticated techniques emphasize a need for heightened security awareness training and advanced threat detection tools. Recommended read:
References :
info@thehackernews.com (The Hacker News)@The Hacker News - 42d
A new sophisticated phishing kit, dubbed 'Sneaky 2FA,' is actively targeting Microsoft 365 accounts using an Adversary-in-the-Middle (AitM) technique. This kit, sold as phishing-as-a-service (PhaaS) by the cybercrime group 'Sneaky Log' through a Telegram bot, has been in operation since at least October 2024. The kit's primary method involves sending emails with fake payment receipts containing QR codes. These codes redirect victims to phishing pages that steal both login credentials and two-factor authentication codes, bypassing traditional security measures. The phishing pages are hosted on compromised websites, particularly WordPress sites, and have been observed to use blurred screenshots of legitimate Microsoft interfaces to trick users.
The Sneaky 2FA kit also employs several anti-analysis techniques to avoid detection. It filters traffic, uses Cloudflare Turnstile challenges, and performs checks to detect and resist analysis attempts using web browser developer tools. In an effort to not be detected, the kit redirects visitors from data centers, cloud providers, bots, proxies, or VPNs to a Wikipedia page. The kit's operators also use a central server to verify subscription licenses which are sold for $200 a month. Analysis of the kit's source code reveals overlaps with W3LL Panel OV6, another AitM phishing kit exposed in 2023, indicating a potentially larger and interconnected threat landscape targeting Microsoft 365 users. Recommended read:
References :
Viplav Kushwah (noreply@blogger.com)@cysecurity.news - 18d
Quishing, or QR code phishing, has emerged as a significant cyber threat, exploiting the widespread use of QR codes. Scammers are using counterfeit QR codes to redirect users to fraudulent websites, initiate malware downloads, or steal sensitive information. These malicious codes are embedded in various places, including emails, invoices, flyers, and even physical locations like restaurant menus, preying on the trust users have in QR codes for quick access to digital services.
The techniques used in quishing attacks vary, from embedding fake QR codes in email attachments that appear legitimate to replacing genuine QR codes in public spaces. Cybercriminals often impersonate trusted entities, such as banks, to trick victims into scanning the codes. Consequences of falling victim to quishing can include financial loss, data breaches, and malware deployment, which can compromise both personal and corporate systems. To mitigate these risks, organizations should educate employees about the dangers of scanning unverified QR codes and implement advanced security tools like email security systems with dynamic URL analysis to detect malicious QR codes. Recommended read:
References :
@ciso2ciso.com - 49d
References:
ciso2ciso.com
A new phishing campaign is targeting PayPal users by exploiting Microsoft 365 test domains. Scammers are registering free test domains and creating distribution lists, which they then use to send out legitimate-looking PayPal payment requests. This method allows the malicious emails to bypass traditional email security checks because they originate from a verified Microsoft source. The emails appear identical to genuine PayPal requests, making it difficult for email providers to detect and filter them.
When a recipient clicks on the provided link within the email, they are redirected to a PayPal login page, which is made to look like a legitimate payment request. If the user logs in, the scammer gains access to their account. This is because the login process links the victim's PayPal account to the distribution list address created by the attacker, not the actual recipient's address, effectively handing over control to the bad actor. Fortinet's CISO referred to this as "phish-free phishing" due to its effectiveness in bypassing security measures. To defend against this, users need to be trained to scrutinize unexpected payment requests and implement data loss prevention rules that can flag suspicious emails with multiple recipients from a distribution list. Recommended read:
References :
@www.bleepingcomputer.com - 4d
A new phishing scam is targeting PayPal users by exploiting the platform's address settings. Scammers are sending fraudulent purchase confirmation emails, tricking recipients into contacting them under the guise of resolving unauthorized transactions. These emails often carry the subject line "You added a new address" and include a fake purchase confirmation, such as for a MacBook M4, urging users to call a provided phone number if they didn't authorize the transaction. The goal is to create panic and prompt users to seek help from the scammers.
The scam emails originate from PayPal's legitimate email servers, allowing them to bypass security and spam filters. Scammers exploit PayPal's gift address feature by inserting the phishing message into the Address 2 field of a PayPal account, triggering an official PayPal confirmation email containing the scam message. Once a victim calls the fake PayPal support number, the scammers attempt to gain remote access to the user's device, potentially leading to the theft of personal information or the installation of malware. Recommended read:
References :
|