serisec

Category: Phishing

  • FBI warns of Kali365 phishing kit that breaks into Microsoft 365 accounts – no password required

    FBI warns of Kali365 phishing kit that breaks into Microsoft 365 accounts – no password required So, you’ve enabled multi-factor authentication. You’ve taught your staff never to type their passwords into dodgy-looking login pages. Surely your Microsoft 365 accounts are safe now? Well, think again. Read more in my article on the Hot for Security…

  • FBI Warns of Kali365 Attacking Microsoft 365 Users to Steal Logins and Bypass MFA

    FBI Warns of Kali365 Attacking Microsoft 365 Users to Steal Logins and Bypass MFA The FBI has issued a new cybersecurity warning about a rapidly emerging phishing-as-a-service (PhaaS) platform named Kali365, which is actively targeting Microsoft 365 users to steal access tokens and bypass multi-factor authentication (MFA). Kali365 is being distributed primarily through Telegram channels,…

  • Defenders fall behind, as AI rewrites the rules of a data breach

    Defenders fall behind, as AI rewrites the rules of a data breach For almost 20 years, stolen credentials have been the most common route for attackers into organizations, according to the Verizon Data Breach Investigations Report (DBIR). But that’s no longer the case. Read more in my article on the Fortra blog. Graham Cluley Go…

  • Attackers Deploy AiTM Phishing Pages to Access SharePoint, HubSpot, and Google Workspace

    Attackers Deploy AiTM Phishing Pages to Access SharePoint, HubSpot, and Google Workspace Threat actors are rapidly shifting their intrusion tradecraft toward high-speed, SaaS-centric attacks that completely bypass traditional endpoint security. Since October 2025, security researchers have tracked two distinct adversaries, identified as CORDIAL SPIDER and SNARKY SPIDER, conducting aggressive data theft campaigns. These groups operate…

  • Attackers Abuse Google AppSheet, Netlify, and Telegram in Facebook Phishing Campaign

    Attackers Abuse Google AppSheet, Netlify, and Telegram in Facebook Phishing Campaign A sophisticated cybercriminal operation dubbed “AccountDumpling” has compromised approximately 30,000 Facebook accounts worldwide. Discovered by Guardio Labs, this Vietnamese-linked campaign abuses Google’s AppSheet platform to bypass traditional email security filters. By routing fully authenticated phishing lures through legitimate channels, the attackers successfully harvest credentials…

  • Smashing Security podcast #459: This clever scam nearly hijacked a tech CEO’s Apple ID

    Smashing Security podcast #459: This clever scam nearly hijacked a tech CEO’s Apple ID In episode 459 of Smashing Security, we dive into a chillingly clever account takeover attempt targeting WordPress co-founder Matt Mullenweg – involving MFA fatigue, real Apple alerts, a convincing support call, and a phishing page that oh-so-nearly worked. If a famous…

  • Fraudsters are using public planning records to target permit applicants

    Fraudsters are using public planning records to target permit applicants If you’re in the middle of applying for a planning or zoning permit, there is some unwelcome news: cyber-criminals have found a way to exploit the bureaucratic tedium of the process against you. Read more in my article on the Fortra blog. Graham Cluley Go…

  • Attackers Hijacking Legitimate Websites to Attack Microsoft Teams users

    Attackers Hijacking Legitimate Websites to Attack Microsoft Teams users A multi-vector phishing campaign using compromised WordPress sites to steal login credentials from Microsoft Teams and Xfinity users. By hijacking these trusted sites, attackers can bypass security filters and trick victims into disclosing sensitive information. The threat actors are not relying on a single method to…

  • Your Signal account is safe – unless you fall for this trick

    Your Signal account is safe – unless you fall for this trick Signal, the encrypted messaging app trusted by security-savvy users around the world, has confirmed that hackers have managed to takeover accounts – with government officials and journalists among those being targeted. Read more in my article on the Hot for Security blog. Graham…

  • How hackers bypassed MFA with a $120 phishing kit – until a global takedown shut it down

    How hackers bypassed MFA with a $120 phishing kit – until a global takedown shut it down In a co-ordinated public-private operation between law enforcement agencies and cybersecurity industry partners, Tycoon 2FA – one of the world’s most prolific phishing-as-a-service platforms – has been dismantled. Read more in my article on the Hot for Security…

  • Phishing Schemes Abuse .arpa TLD and IPv6 Tunnels to Evade Detection

    Phishing Schemes Abuse .arpa TLD and IPv6 Tunnels to Evade Detection Cybersecurity researchers at Infoblox Threat Intel have uncovered a highly sophisticated phishing campaign that exploits the foundational plumbing of the internet to bypass enterprise security controls. In a novel evasion tactic, threat actors are weaponizing the .arpa top-level domain (TLD) and utilizing IPv6 tunnels to host…

  • Phishing Attacks Against People Seeking Programming Jobs

    Phishing Attacks Against People Seeking Programming Jobs This is new. North Korean hackers are posing as company recruiters, enticing job candidates to participate in coding challenges. When they run the code they are supposed to work on, it installs malware on their system. News article. Bruce Schneier Go to bruce schneier

  • Threat Actors Leverage SharePoint Services in Sophisticated AiTM Phishing Campaign

    Threat Actors Leverage SharePoint Services in Sophisticated AiTM Phishing Campaign Microsoft Defender researchers have exposed a sophisticated adversary-in-the-middle (AiTM) phishing campaign targeting energy sector organizations through SharePoint file-sharing abuse. The multi-stage attack compromised multiple user accounts and evolved into widespread business email compromise (BEC) operations across several organisations. Initial Compromise Through Trusted Vendor The attack…

  • New Sophisticated Phishing Attack Mimic as Google Support to Steal Logins

    New Sophisticated Phishing Attack Mimic as Google Support to Steal Logins Cybersecurity researchers have uncovered a dangerous new phishing campaign that tricks users into surrendering their credentials by impersonating legitimate Google support and notifications. The attack combines vishing (voice phishing), spoofed domains, and Google’s own trusted infrastructure to achieve exceptional success rates against organizations worldwide.…

  • Hackers Abusing Google Tasks Notification for Sophisticated Phishing Attack

    Hackers Abusing Google Tasks Notification for Sophisticated Phishing Attack Hackers have launched a sophisticated phishing campaign exploiting Google Tasks notifications to target over 3,000 organizations worldwide, primarily in the manufacturing sector. The December 2025 attacks signal a dangerous shift in email-based threats, in which attackers abuse legitimate Google infrastructure rather than spoofing domains or forging…

  • Critical FortiGate Devices SSO Vulnerabilities Actively Exploited in the Wild

    Critical FortiGate Devices SSO Vulnerabilities Actively Exploited in the Wild An active intrusion is targeting critical authentication bypass vulnerabilities in Fortinet’s FortiGate appliances and related products. Threat actors are exploiting CVE-2025-59718 and CVE-2025-59719 to perform unauthenticated single sign-on (SSO) logins via malicious SAML messages, granting attackers administrative access. Fortinet disclosed the flaws in a PSIRT…

  • Gartner tells businesses to block AI browsers now

    Gartner tells businesses to block AI browsers now Analyst firm Gartner has issued a blunt warning to organizations: Agentic AI browsers introduce serious new security risks and should be blocked “for the foreseeable future.” Read more in my article on the Fortra blog. Graham Cluley Go to grahamcluley

  • Smashing Security podcast #446: A hacker doxxes himself, and social engineering-as-a-service

    Smashing Security podcast #446: A hacker doxxes himself, and social engineering-as-a-service A teenage cybercriminal posts a smug screenshot to mock a sextortion scammer… and accidentally hands over the keys to his real-world identity. Meanwhile, we look into the crystal ball for 2026 and consider how stolen data is now the jet fuel of cybercrime –…

  • Scam USPS and E-Z Pass Texts and Websites

    Scam USPS and E-Z Pass Texts and Websites Google has filed a complaint in court that details the scam: In a complaint filed Wednesday, the tech giant accused “a cybercriminal group in China” of selling “phishing for dummies” kits. The kits help unsavvy fraudsters easily “execute a large-scale phishing campaign,” tricking hordes of unsuspecting people…

  • Phake phishing: Phundamental or pholly?

    Phake phishing: Phundamental or pholly? Debates over the effectiveness of phishing simulations are widespread. Sophos X-Ops looks at the arguments for and against – and our own phishing philosophy Ross McKerchar Go to sophos

  • New Phishing Attack Leverages Azure Blob Storage to Impersonate Microsoft

    New Phishing Attack Leverages Azure Blob Storage to Impersonate Microsoft Threat actors are leveraging Microsoft Azure Blob Storage to craft highly convincing phishing sites that mimic legitimate Office 365 login portals, putting Microsoft 365 users at severe risk of credential theft. This method exploits trusted Microsoft infrastructure, making the attacks harder to spot as the…

  • Malicious-Looking URL Creation Service

    Malicious-Looking URL Creation Service This site turns your URL into something sketchy-looking. For example, www.schneier.com becomes https://cheap-bitcoin.online/firewall-snatcher/cipher-injector/phishing_sniffer_tool.html?form=inject&host=spoof&id=bb1bc121&parameter=inject&payload=%28function%28%29%7B+return+%27+hi+%27.trim%28%29%3B+%7D%29%28%29%3B&port=spoof. Found on Boing Boing. Bruce Schneier Go to bruce schneier

  • Smashing Security podcast #435: Lights! Camera! Hacktion!

    Smashing Security podcast #435: Lights! Camera! Hacktion! When “bad actors” stop being hackers and start being… actual actors. This week, Graham and special guest Jenny Radcliffe play “Hacker or Ham?” (yes, Steven Seagal, we’re looking at you), before diving into a campaign which saw an Iranian gang luring Israeli performers with fake casting calls for…

  • The AI Fix #67: Will Smith’s AI crowd scandal, and gullible agents fall for scams

    The AI Fix #67: Will Smith’s AI crowd scandal, and gullible agents fall for scams In episode 67 of The AI Fix, Graham talks to an AI with a fax machine, Bill Gates says there’s one job AI will never replace, criminals use Claude Code for cyberattacks, Mark reveals why GPT-5 was better than you…

  • SpamGPT – AI-powered Attack Tool Used By Hackers For Massive Phishing Attack

    SpamGPT – AI-powered Attack Tool Used By Hackers For Massive Phishing Attack A sophisticated new cybercrime toolkit named SpamGPT is enabling hackers to launch massive and highly effective phishing campaigns by combining artificial intelligence with the capabilities of professional email marketing platforms. Marketed on the dark web as a “spam-as-a-service” platform, SpamGPT automates nearly every…

  • Smashing Security podcast #432: Oops! I auto-filled my password into a cookie banner

    Smashing Security podcast #432: Oops! I auto-filled my password into a cookie banner We unpack how some password managers can be tricked into coughing up your secrets, with a clickjacking sleight-of-hand, what website owners can do to prevent it, and how to lock down your personal password vault. Then we time-hope to the post-quantum scramble:…

  • New Gmail Phishing Attack With Weaponized Login Flow Steals Credentials

    New Gmail Phishing Attack With Weaponized Login Flow Steals Credentials A sophisticated new phishing campaign targeting Gmail users through a multi-layered attack that uses legitimate Microsoft Dynamics infrastructure to bypass security measures and steal login credentials. The attack begins with deceptive “New Voice Notification” emails that appear to come from legitimate voicemail services. These emails…

  • The “Incriminating Video” Scam

    The “Incriminating Video” Scam A few years ago, scammers invented a new phishing email. They would claim to have hacked your computer, turned your webcam on, and videoed you watching porn or having sex. BuzzFeed has an article talking about a “shockingly realistic” variant, which includes photos of you and your house—more specific information. The…

  • WinRAR 0-Day in Phishing Attacks to Deploy RomCom Malware

    WinRAR 0-Day in Phishing Attacks to Deploy RomCom Malware A critical zero-day vulnerability has been identified in WinRAR that cybercriminals are actively exploiting through sophisticated phishing campaigns to distribute RomCom malware.  The flaw, designated as CVE-2025-8088, represents a significant security threat with a CVSS v3.1 score of 8.4, enabling attackers to execute arbitrary code on…

  • 10 Best Anti-Phishing Tools in 2025

    10 Best Anti-Phishing Tools in 2025 Anti-phishing tools are essential cybersecurity solutions designed to detect and prevent phishing attacks. These tools identify and block malicious emails, websites, and messages that attempt to deceive users into disclosing sensitive information such as passwords, credit card numbers, and personal details. They use advanced algorithms, machine learning, and threat…

  • Smashing Security podcast #427: When 2G attacks, and a romantic road trip goes wrong

    Smashing Security podcast #427: When 2G attacks, and a romantic road trip goes wrong Graham warns why it is high time we said goodbye to 2G – the outdated mobile network being exploited by cybercriminals with suitcase-sized SMS blasters. From New Zealand to London, scammers are driving around cities like dodgy Uber drivers, spewing phishing…

  • Cybercrime is surging across Africa

    Cybercrime is surging across Africa A new INTERPOL report has sounded the alarm over a dramatic increase in cybercrime across Africa, with digital crime now accounting for a significant proportional of all criminal activity across the continent. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley

  • Dutch police identify users as young as 11-year-old on Cracked.io hacking forum

    Dutch police identify users as young as 11-year-old on Cracked.io hacking forum Dutch police have announced that they have identified 126 individuals linked to the now dismantled Cracked.io cybercrime forum. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley

  • Top 3 Evasion Techniques In Phishing Attacks: Real Examples Inside 

    Top 3 Evasion Techniques In Phishing Attacks: Real Examples Inside  Phishing attacks aren’t what they used to be. Hackers no longer rely on crude misspellings or sketchy email addresses. Instead, they use clever tricks to dodge detection tools and fool even cautious users.   Let’s break down three evasion techniques that are increasingly common in phishing…

  • Why Take9 Won’t Improve Cybersecurity

    Why Take9 Won’t Improve Cybersecurity There’s a new cybersecurity awareness campaign: Take9. The idea is that people—you, me, everyone—should just pause for nine seconds and think more about the link they are planning to click on, the file they are planning to download, or whatever it is they are planning to share. There’s a website—of…

  • New Spear-Phishing Attack Targeting Financial Executives by Deploying NetBird Malware

    New Spear-Phishing Attack Targeting Financial Executives by Deploying NetBird Malware A sophisticated spear-phishing campaign has emerged targeting chief financial officers and senior financial executives across banking, energy, insurance, and investment sectors worldwide, marking a concerning escalation in precision-targeted cyber attacks against corporate leadership. The campaign, which surfaced on May 15, 2025, employs advanced social engineering…

  • Smashing Security podcast #417: Hello, Pervert! – Sextortion scams and Discord disasters

    Smashing Security podcast #417: Hello, Pervert! – Sextortion scams and Discord disasters Don’t get duped, doxxed, or drained! In this episode of “Smashing Security” we dive into the creepy world of sextortion scams, and investigate how crypto wallet firm Ledger’s Discord server was hijacked in an attempt to phish for cryptocurrency recovery phrases. All this…

  • Hacking Abusing GovDelivery For TxTag ‘Toll Charges’ Phishing Attack

    Hacking Abusing GovDelivery For TxTag ‘Toll Charges’ Phishing Attack A sophisticated phishing operation exploiting compromised Indiana government sender accounts to distribute fraudulent TxTag toll collection messages.  The campaign, which emerged this week, leverages the GovDelivery communications platform to lend legitimacy to the scam emails targeting unsuspecting recipients nationwide. Sophisticated Phishing Targets Indiana Toll Users  The…

  • Darcula (PhaaS) Stolen 884,000 Credit Card Details on 13 Million Clicks from Users Worldwide

    Darcula (PhaaS) Stolen 884,000 Credit Card Details on 13 Million Clicks from Users Worldwide Security researchers have uncovered one of the largest credit card theft operations in recent history, with a sophisticated Phishing-as-a-Service (PhaaS) platform called “Darcula” responsible for stealing approximately 884,000 credit card details through a massive campaign that generated over 13 million clicks…

  • New Reports Reveals How AI is Boosting the Phishing Attack Rapidly With More Accuracy

    New Reports Reveals How AI is Boosting the Phishing Attack Rapidly With More Accuracy Cybercriminals have dramatically evolved their phishing tactics, leveraging generative AI to create highly personalized and convincing attacks, according to the newly released ThreatLabz 2025 Phishing Report. The days of mass phishing campaigns have given way to hyper-targeted scams designed to exploit…

  • Smashing Security podcast #412: Signalgate sucks, and the quandary of quishing

    Smashing Security podcast #412: Signalgate sucks, and the quandary of quishing QR codes are being weaponised by scammers — so maybe think twice before scanning that parking meter. And in a blunder so dumb it makes autocorrect look smart, the White House explains how it leaked war plans on Signal because an iPhone mistook a…

  • King Bob pleads guilty to Scattered Spider-linked cryptocurrency thefts from investors

    King Bob pleads guilty to Scattered Spider-linked cryptocurrency thefts from investors A Florida man, linked to the notorious Scattered Spider hacking gang, has pleaded guilty to charges related to cryptocurrency thefts which have netted hundreds of thousands of dollars. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley

  • Troy Hunt Gets Phished

    Troy Hunt Gets Phished In case you need proof that anyone, even people who do cybersecurity for a living, Troy Hunt has a long, iterative story on his webpage about how he got phished. Worth reading. Bruce Schneier Go to bruce schneier

  • Smashing Security podcast #411: The fall of Troy, and whisky barrel scammers

    Smashing Security podcast #411: The fall of Troy, and whisky barrel scammers Renowned cybersecurity expert Troy Hunt falls victim to a phishing attack, resulting in the exposure of thousands of subscriber details, and don’t lose your life savings in a whisky scam… All this and more is discussed in the latest edition of the “Smashing…

  • Mandatory Coinbase wallet migration? It’s a phishing scam!

    Mandatory Coinbase wallet migration? It’s a phishing scam! An ingenious phishing scam is targeting cryptocurrency investors, by posing as a mandatory wallet migration. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley

  • Webinar: Credential security in the age of AI: Insights for IT leaders

    Webinar: Credential security in the age of AI: Insights for IT leaders On Tuesday, March 18 2025, at 1pm EST, I will be joining the experts at Dashlane for an online chat all about credential security in the age of AI. Learn more and make sure to book your free seat. Graham Cluley Go to…

  • Device Code Phishing

    Device Code Phishing This isn’t new, but it’s increasingly popular: The technique is known as device code phishing. It exploits “device code flow,” a form of authentication formalized in the industry-wide OAuth standard. Authentication through device code flow is designed for logging printers, smart TVs, and similar devices into accounts. These devices typically don’t support…

  • Got a Microsoft Teams invite? Storm-2372 gang exploit device codes in global phishing attacks

    Got a Microsoft Teams invite? Storm-2372 gang exploit device codes in global phishing attacks Security experts have warned that a cybercriminal group has been running a malicious and inventive phishing campaign since August 2024 to break into organizations across Europe, North America, Africa, and the Middle East. Read more in my article on the Tripwire…

  • Toll booth bandits continue to scam via SMS messages

    Toll booth bandits continue to scam via SMS messages North American drivers are continuing to be barraged by waves of scam text messages, telling them that they owe money on unpaid tolls. Do you know what to tell your friends and family to watch out for? Read more in my article on the Hot for…

  • Scalable Vector Graphics files pose a novel phishing threat

    Scalable Vector Graphics files pose a novel phishing threat The SVG file format can harbor malicious HTML, scripts, and malware Andrew Brandt Go to sophos

  • New Phishing Campaign Mimic Amazon Prime Membership To Steal Credit Card Data

    New Phishing Campaign Mimic Amazon Prime Membership To Steal Credit Card Data A sophisticated phishing campaign targeting Amazon Prime members has been uncovered, aiming to steal credit card information and other sensitive data. Cybersecurity experts have identified a complex attack chain that leverages PDF attachments, redirects, and cleverly crafted phishing sites to deceive unsuspecting victims.…

  • Social Engineering to Disable iMessage Protections

    Social Engineering to Disable iMessage Protections I am always interested in new phishing tricks, and watching them spread across the ecosystem. A few days ago I started getting phishing SMS messages with a new twist. They were standard messages about delayed packages or somesuch, with the goal of getting me to click on a link…

  • Phishing False Alarm

    Phishing False Alarm A very security-conscious company was hit with a (presumed) massive state-actor phishing attack with gift cards, and everyone rallied to combat it—until it turned out it was company management sending the gift cards. Bruce Schneier Go to bruce schneier

  • Canadian man loses a cryptocurrency fortune to scammers – here’s how you can stop it happening to you

    Canadian man loses a cryptocurrency fortune to scammers – here’s how you can stop it happening to you A Canadian man lost a $100,000 cryptocurrency fortune – all because he did a careless Google search. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley

  • Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces

    Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces A sudden disruption of a major phishing-as-a-service provider leads to the rise of another…that looks very familiar  gallagherseanm Go to sophos

  • Tech support scams leverage Google ads again and again, fleecing unsuspecting internet users

    Tech support scams leverage Google ads again and again, fleecing unsuspecting internet users It’s not a new technique, but that doesn’t mean that cybercriminals cannot make rich rewards from SEO poisoning. Read more in my article on the Tripwire State of Security blog. Graham Cluley Go to grahamcluley

  • Sophos MDR blocks and tracks activity from probable Iranian state actor “MuddyWater”

    Sophos MDR blocks and tracks activity from probable Iranian state actor “MuddyWater” Sophos MDR has observed a new campaign that uses targeted phishing to entice the target to download a legitimate remote machine management tool to dump credentials. We believe with moderate confidence that this activity, which we track as STAC 1171, is related to…