Security News

LogMeIn is the parent company of LastPass, so attackers may also be attempting to access the password managers of compromised users, says Abnormal Security. As more people work from home due to the coronavirus, a new phishing campaign is impersonating the remote access tool LogMeIn to obtain the account credentials of unsuspecting victims.

A new phishing campaign can bypass multi-factor authentication on Office 365 to access victims' data stored on the cloud and use it to extort a Bitcoin ransom or even find new victims to target, security researchers have found. The attack is different than a typical credential harvester in that it attempts to trick users into granting permissions to the application, which can bypass MFA, he said.

Admins working with Microsoft Azure beware: phishers are updating their assets to reflect changes on the company's cloud-based login screen. Office 365 ATP data shows that attackers have started to spoof the new Azure AD sign-in page in multiple phishing campaigns.

The spread of the coronavirus has triggered a surge in templates that spoof government agencies and health organizations in an effort to capture personal information from people. In a blog post published Thursday, security provider Proofpoint looks at several virus-themed templates that have been used in phishing attacks.

Phishers are incessantly pumping out COVID-19 themed phishing campaigns and refining the malicious pages the targets are directed to. "Credential phishing attackers often tailor their email lures with themes they believe will be the most effective and use general websites for actual credential harvesting. The recent move to create custom COVID-19 payment phishing templates indicates that buyers view them as effective enough to warrant custom tactics to harvest credentials," Proofpoint researchers have noted.

That's especially true with phishing emails that attempt to hide the source of their deceptive landing pages and spoof or reference a well-known company or brand. A new phishing attack analyzed by Armorblox takes advantage of Symantec to trick users into falling for the scam.

Motimatic, a social impact company that enhances motivation and reinforces positive behavior through its marketing-for-good platform, announced the launch of a new cybersecurity solution for corporate employees. Motimatic for Cybersecurity enables enterprises to complement their existing cybersecurity investments by leveraging the power of social media and digital advertising to deliver targeted messages that educate employees, reinforce best practices, and motivate viewers to take preventative measures against cyberattacks.

The campaign impersonates Zoom emails, but steals the Microsoft account credentials of its victims, says security firm Abnormal Security. A new phishing campaign spotted by Abormal Security takes advantage of the popularity of Zoom to try to capture account credentials of unsuspecting users.

We believe we are less likely than others are to fall for phishing scams, thereby underestimating our own exposure to risk, a cybersecurity study has found. Half of the subjects were asked how likely they were to take the requested action while the other half was asked how likely another, specifically, "Someone like them," would do so.

Phishing emails typically try to ensnare their victims by impersonating well-known companies, brands, products, and other items used by a lot of people. The phishing email itself tries to look legitimate by copying the content and images of real emails from DocuSign.