Security News

A new study at unprecedented scale revealed that embedded phishing training in simulations run by organizations doesn't work well. Those simulations pretend to be real phishing email landing in the employees' mailboxes, without any malicious payload. They show a realistic phishing page and collect statistics about who clicked with or without providing credentials, how many users reported it to the security staff, etc.

Electronic Arts has published an official response to numerous reports about hacked player accounts, confirming the problem and attributing it to phishing actors. As the notice explains, hackers used social engineering against EA's customer experience team to bypass two-factor authentication and take over 50 player accounts.

According to a Department of Justice press release, 29-year-old Fillippo Bernardini allegedly impersonated agents, editors, and others involved in the publishing industry to steal manuscripts of unpublished books. "Filippo Bernardini allegedly impersonated publishing industry individuals in order to have authors, including a Pulitzer prize winner, send him prepublication manuscripts for his own benefit," said U.S. Attorney Damian Williams.

Attackers are taking advantage of the comment feature in Google Docs to send people emails with malicious links, says Avanan. A new report released Thursday by email security provider Avanan looks at a new phishing campaign that abuses a popular feature in Google Docs to deploy malicious emails.

A new trend in phishing attacks emerged in December 2021, with threat actors abusing the commenting feature of Google Docs to send out emails that appear trustworthy. Google Docs is used by many employees working or collaborating remotely, so most recipients of these emails are familiar with these notifications.

The latest example is a phishing campaign that taunts victims with a COVID-19 funeral assistance helpline number. Dridex is banking malware distributed through phishing emails containing malicious Word or Excel attachments.

A new phishing campaign that targets CoinSpot cryptocurrency exchange users employs a new theme revolving around withdrawal confirmations with the end goal of stealing two-factor authentication codes. More specifically, the threat actors send emails from a Yahoo address, replicating real emails from CoinSpot that ask the recipients to confirm or cancel a withdrawal transaction.

Microsoft said it won't fix or is delaying patches for several security flaws impacting Microsoft Team's link preview feature reported since March 2021.Bräunlein reported the four flaws to the Microsoft Security Response Center, which investigates vulnerability reports concerning Microsoft products and services.

Facebook's parent company Meta Platforms on Monday said it has filed a federal lawsuit in the U.S. state of California against bad actors who operated more than 39,000 phishing websites that impersonated its digital properties to mislead unsuspecting users into divulging their login credentials. The attacks were carried out using a relay service, Ngrok, that redirected internet traffic to the phishing websites in a manner that concealed the true location of the fraudulent infrastructure.

Meta has filed a federal lawsuit in California court to disrupt phishing attacks targeting Facebook, Messenger, Instagram, and WhatsApp users. The attackers behind these phishing campaigns used almost 40,000 phishing pages that would impersonate the four platforms' login pages.