Security News
A credential-phishing attempt that relies on impersonating Bank of America has emerged in the U.S. this month, with emails that get around secure gateway protections and heavy-hitting protections like DMARC. The campaign involves emails that ask recipients to update their email addresses, warning users that their accounts could be recycled if this isn't done. "This ensured that the email wasn't caught in the bulk email filters provided by native Microsoft email security or the Secure Email Gateway."
The phishing emails spoof the U.S. Supreme Court, aiming to capitalize on scare tactics to convince targets to click on an embedded link. "The sender name impersonated the Supreme Court, making the email likely to get past eye tests when people glanced through it amidst hundreds of other emails in their overflowing mailboxes. The email language was terse and authoritative, including a CTA in the email - View Subpoena - clearly describing the purpose of the email."
A Microsoft vulnerability found in Microsoft Teams that could have allowed an inside attacker to weaponize a single GIF image and use it to pilfer data from targeted systems and take over all of an organization's Teams accounts. The phishing campaign used a ton of different Microsoft file sharing platforms including Microsoft Sway, which if you guys don't know what that is, it's basically Microsoft's platform for newsletters and presentations.
Example CEO and Management Board Meeting for all staffs on Zoom Meeting This is a reminder that your zoom meeting appointment with H.R and Audit Head will start in few minutes. Your presence is crucial to this meeting and equally required to commence this Q1 perfomance review meeting Join this Live Meeting Meeting Purpose: Contract Suspension / Termination Trial.
The incident gave the phisher the ability to view and modify key customer records, access that was used to change domain settings for a half-dozen GoDaddy customers, including transaction brokering site escrow.com. In a statement shared with KrebsOnSecurity, GoDaddy acknowledged that on March 30 the company was alerted to a security incident involving a customer's domain name.
Today, for modest amounts of money, would-be scammers can buy high-quality phishing tools online, through the Dark Web, enabling them to skip all the fuss and bother of actually learning how to code or do graphics or any of the other steps required to successfully scam someone. There the price of a phishing page averaged $338. Phishing - essentially stealing sensitive information like passwords, credentials, reset notifications and other forms of access through trickery - is the single most common form of online attack.
For anyone who is a Stripe user - even if they haven't logged in for a while - the email seems pretty genuine. OK, the button didn't head to a Stripe domain, but the link didn't look particularly out of place, either - it was an HTTPS link to a regular-looking.com domain.
First, while the most recent versions of this stealthy phish targeted corporate users of Microsoft's Office 365 service, the same approach could be leveraged to ensnare users of many other cloud providers. In early December, security experts at PhishLabs detailed a sophisticated phishing scheme targeting Office 365 users that used a malicious link which took people who clicked to an official Office 365 login page - login.
Threatpost editors discuss this week's biggest news - from a data breach of Bed Bath & Beyond, a tricky phishing attack and widespread APT activity.
Developer interfaces used by Security Research Labs researchers to turn digital home assistants into ‘Smart Spies’.