Security News

Google and Amazon overtook Apple in the second quarter of 2020 as the brand most spoofed by attackers to lure people into falling for phishing attacks. While the number of so-called brand-phishing attacks remained stable from the first quarter of 2020 to the second, there was a major shift in position for the companies that threat actors think people are most likely to trust - or whose pages they will most likely click on, according to Check Point Research's Brand Phishing Report for Q2. Brand phishing is a type of attack in which a threat actor imitates an official website of a known brand by using a similar domain or URL in an attack, as well as in some cases a copycat web page similar or identical to the actual company's original website in look and feel.

Twitter has confirmed that the breach of several high-profile accounts that occurred on July 15 was caused by a phone spear phishing attack that targeted a small number of employees. Using the credentials of the affected employees, the attackers managed to compromise 130 different Twitter accounts, including those of Bill Gates, Jeff Bezos, Elon Musk, Joe Biden, and Barack Obama, according to Twitter.

Twitter on Thursday revealed that several employees were targeted with phone spear-phishing in a social engineering attack leading to the recent security incident. A total of 130 accounts were targeted in the incident, with hackers abusing internal Twitter systems and tools to reset the passwords for 45 of them.

Twitter has offered further explanation of the celebrity account hijack hack that saw 130 users' timelines polluted with a Bitcoin scam. "The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack," says a July 30 update to Twitter's incident report.

BitDam announced the availability of its new phishing scanner. Phishing attacks are also becoming increasingly sophisticated, making it harder for traditional phishing detection solutions based on reputation and threat intelligence to identify them.

A majority of election administrators in the United States have yet to implement cybersecurity controls designed to provide protection against phishing attacks, a new Area 1 Security report reveals. The U.S. elections have been targeted by phishing as well, with examples including attacks against election-sensitive organizations in 2016 and 2018, and phishing attempts targeting the current 2020 election cycle.

Among consumers reporting being targeted with digital COVID-19 schemes globally, 27% said they were hit with pandemic-themed phishing scams. "From the impacts of phishing and other well documented COVID-19 scams like unemployment fraud, it's clear that fraudsters have the data and increasing opportunities to create synthetic identities and utilize stolen identities," said Shai Cohen, senior vice president of Global Fraud & Identity Solutions at TransUnion.

In a new report released on Wednesday, enterprise security provider Balbix looks at the top threats cited in a survey of security professionals. For many organizations, limited visibility into their security holes and an inability to prioritize security issues are creating greater risk.

TransUnion surveyed consumers in six countries and found that phishing was the preferred method of attack 27% of the time. Credit agency TransUnion has found that COVID-19 related scams have targeted 32% of people around the world, and phishing is the method of choice, accounting for 27% of those attacks.

By hosting phishing pages at a legitimate cloud service, cybercriminals try to avoid arousing suspicion, says Check Point Research. The idea is that such phishing pages will better elude detection by security products and more easily ensnare unsuspecting victims.