Security News

IPFS is a peer-to-peer network protocol designed to provide a decentralized and distributed web. In a usual phishing case, the target is enticed to visit a fraudulent phishing page that will steal their credentials and possibly their credit card information; however, this fraudulent page can be hosted on IPFS and accessed via a gateway.

In yet another sign that Telegram is increasingly becoming a thriving hub for cybercrime, researchers have found that threat actors are using the messaging platform to peddle phishing kits and help set up phishing campaigns. "To promote their 'goods,' phishers create Telegram channels through which they educate their audience about phishing and entertain subscribers with polls like, 'What type of personal data do you prefer?'," Kaspersky web content analyst Olga Svistunova said in a report published this week.

Phishers are targeting YouTube content creators by leveraging the service's Share Video by Email feature, which delivers the phishing email from an official YouTube email address. The email informs the targets of a new monetization policy, new rules, and prompts them to view a video.

Telegram has become the working ground for the creators of phishing bots and kits looking to market their products to a larger audience or to recruit unpaid helpers. While the messaging platform has been used for cybercriminal activities for several years, it appears that threat actors in the phishing business have started to rely on it more lately.

The Cyber Police of Ukraine, in collaboration with law enforcement officials from Czechia, has arrested several members of a cybercriminal gang that set up phishing sites to target European users. The suspects are alleged to have created more than 100 phishing portals aimed at users in France, Spain, Poland, Czechia, Portugal, and other nations in the region.

New research from Microsoft's Threat Intelligence team exposed the activities of a threat actor named DEV-1101, which started advertising for an open-source phishing kit to deploy an adversary-in-the-middle campaign. According to Microsoft, the threat actor described the kit as a phishing application with "Reverse-proxy capabilities, automated setup, detection evasion through an antibot database, management of phishing activity through Telegram bots, and a wide range of ready-made phishing pages mimicking services such as Microsoft Office or Outlook."

Microsoft announced that the new Windows 11 build rolling out to Insiders in the Canary channel comes with increased protection against phishing attacks and support for SHA-3 cryptographic hash functions. Enhanced Phishing Protection is a Defender SmartScreen feature introduced with the release of Windows 11 22H2 in September 2022 and is designed to protect user credentials against phishing attacks.

After news broke late last week about Silicon Valley Bank's bank run and collapse, security researchers started warning SVB account holders about incoming SVB-related scams and phishing attempts. Proofpoint researchers flagged a campaign using messages supposedly coming from several cryptocurrency brands, trying to trick users into installing a Smart Contract that would transfer the contents of their wallet to the attacker's wallet.

Phishing attacks have become increasingly prevalent and sophisticated, making it more difficult for individuals to protect themselves from these scams. In this Help Net Security video, Ofek Ronen, Software Engineer at Perception Point, discusses two-step phishing attacks, which are not only dangerous but also evasive, making them even more challenging to detect and avoid.

Amid all of the buzz around ChatGPT and other artificial intelligence apps, cybercriminals have already started using AI to generate phishing emails. In the end, human-generated phishing mails caught more victims than did those created by ChatGPT. Specifically, the rate in which users fell for the human-generated messages was 4.2%, while the rate for the AI-generated ones was 2.9%. That means the human social engineers outperformed ChatGPT by around 69%. One positive outcome from the study is that security training can prove effective at thwarting phishing attacks.