Security News
A newly-uncovered phishing kit, dubbed LogoKit, eliminates headaches for cybercriminals by automatically pulling victims' company logos onto the phishing login page. These targeted services range from generic login portals to false SharePoint, Adobe Document Cloud, OneDrive, Office 365, and cryptocurrency exchange login portals.
An ongoing campaign powered by a phishing kit sold on underground forums is explicitly targeting high-ranking executives in a variety of sectors and countries with fake Office 365 password expiration notifications, Trend Micro researchers warn. The compromised accounts can be used to send out even more convincing phishing emails, perpetrate BEC scams, or collect sensitive information.
A vulnerability in the popular TikTok short-form video-sharing platform could have allowed attackers to easily compile users' phone numbers, unique user IDs and other data ripe for phishing attacks. In order to help users find friends through their contacts, TikTok contained a sync feature for contacts who had TikTok accounts.
An evolving phishing campaign observed at least since May 2020 has been found to target high-ranking company executives across manufacturing, real estate, finance, government, and technological sectors with the goal of obtaining sensitive information. The messages also include an embedded link to retain the same password that, when clicked, redirects users to a phishing page for credential harvesting.
A very active phishing campaign is underway pretending to be from the UK's National Health Service, alerting recipients that they are eligible to receive the COVID-19 vaccine. The phishing email, shown below, asks the recipient if they want to accept or decline the invitation to schedule their COVID-19 vaccination.
A very active phishing campaign is underway pretending to be from the UK's National Health Service, alerting recipients that they are eligible to receive the COVID-19 vaccine. The phishing email, shown below, asks the recipient if they want to accept or decline the invitation to schedule their COVID-19 vaccination.
Asset and wealth management companies play an important role in handling finances and investments for different clients throughout the world. A report released Thursday by digital risk company Digital Shadows examines why and how AWM companies are vulnerable to cyberattack and how they can defend themselves.
The FBI is cautioning companies to beware of a slew of voice phishing attacks aimed at capturing the login credentials of employees. In an advisory released last Thursday, the FBI revealed that as of December 2019, cybercriminals have been working together on social engineering campaigns targeting employees at large firms both in the US and abroad. The criminals are taking advantage of VoIP platforms to launch voice phishing, or vishing, attacks.
The Federal Bureau of Investigation has issued a Private Industry Notification to warn of attacks targeting enterprises, in which threat actors attempt to obtain employee credentials through vishing or chat rooms. An observed shift in tactics, the FBI says, is the targeting of all employee credentials, not exclusively of those individuals who might have higher access and privileges based on their corporate position.
Attackers are using the normally harmless Windows Finger command to download and install a malicious backdoor on victims' devices. This week, security researcher Kirk Sayre found a phishing campaign utilizing the Finger command to download the MineBridge backdoor malware.