Duo's Security Blog

APRIL 20, 2023

Through the first two months of 2023 alone, the Australian Competition and Consumer Commission’s Scamwatch reported more than 19,000 phishing reports with estimated financial losses of more than $5.2 What is phishing? This is part of what makes phishing attacks so dangerous.

Phishing 77

Phishing Social Engineering Authentication Engineering 77

SecureList

FEBRUARY 16, 2023

Short-lived phishing sites often offered to see the premieres before the eagerly awaited movie or television show was scheduled to hit the screen. At the beginning of that year, we still observed phishing attacks that used the themes of infection and prevention as the bait. Others offered the coveted Green Pass without vaccination.

Phishing 90

Phishing Scams Accountability Energy and Utilities 90

Google Security

MAY 11, 2022

Posted by Daniel Margolis, Software Engineer, Google Account Security Team Every year, security technologies improve: browsers get better , encryption becomes ubiquitous on the Web , authentication becomes stronger. But phishing persistently remains a threat (as shown by a recent phishing attack on the U.S.

Phishing 106

Phishing Scams Authentication Accountability 106

SC Magazine

FEBRUARY 23, 2021

Researchers reported Tuesday that they found two email phishing attacks targeting at least 10,000 mailboxes at FedEx and DHL Express that look to extract a user’s work email account. In the FedEx attack, the final phishing page spoofs an Office 365 portal packed with Microsoft branding. Brand impersonation.

Phishing 119

Phishing Social Engineering Accountability Technology 119

Malwarebytes

AUGUST 4, 2023

Attackers believed to have ties to Russia's Foreign Intelligence Service (SVR) are using Microsoft Teams chats as credential theft phishing lures. In the phishing attacks the group leverages previously compromised Microsoft 365 instances, mostly owned by small businesses, to create new domains that look like technical support accounts.

Authentication 89

Authentication Phishing Small Business Accountability 89

Security Affairs

FEBRUARY 8, 2019

Crooks leverage Google Translate service as camouflage on mobile browsers in a phishing campaign aimed at stealing Google account and Facebook credentials. The technique makes it harder to detect the attack on mobile browsers. “Some phishing attacks are more sophisticated than others.

Phishing 85

Phishing Mobile Security Intelligence Advertising 85

Krebs on Security

SEPTEMBER 29, 2021

That service quickly went offline, but new research reveals a number of competitors have since launched bot-based services that make it relatively easy for crooks to phish OTPs from targets. Some services also target other popular social media platforms or financial services, providing email phishing and SIM swapping capabilities.”

Passwords 321

Passwords Mobile Authentication Banking 321

SecureList

FEBRUARY 15, 2021

The Kaspersky Anti-Phishing component blocked 434,898,635 attempts at accessing scam sites. The most frequent targets of phishing attacks were online stores (18.12 Contact us to lose your money or account! The contact phone trick was heavily used both in email messages and on phishing pages. Agentb malware family.

Phishing 136

Phishing Malware Scams Accountability 136

eSecurity Planet

AUGUST 16, 2021

A phishing campaign that Microsoft security researchers have been tracking for about a year highlights not only the ongoing success of social engineering efforts by hackers to compromise systems, but also the extent to which the bad actors will go to cover their tracks while stealing user credentials. Whitelisting vs. Blacklisting.

Phishing 109

Phishing Social Engineering Passwords Engineering 109

Duo's Security Blog

JULY 15, 2021

Part of our Administrator's Guide to Passwordless blog series See the video at the blog post. But on top of all of that, passwordless should also raise the bar by substantially reducing or even eliminating the risk of phishing attacks. That isn’t to say that every password-less solution needs to be phish-proof.

Phishing 100

Phishing Authentication Passwords Risk 100

BH Consulting

AUGUST 31, 2023

Having policies and procedures to secure social media accounts and minimise the potential for incidents can help. So in this blog, I’ll talk about the risks and steps to mitigate them. The organisation had suffered reputational damage after one of the team followed some accounts that didn’t fit with its values. More than 4.7

Media 52

Media Accountability Authentication Passwords 52

Identity IQ

JULY 3, 2023

How to Detect and Respond to Account Misuse IdentityIQ As digital connectivity continues to grow, safeguarding your online accounts from misuse is becoming increasingly crucial. Account misuse can result in alarming repercussions, including privacy breaches, financial losses, and identity theft.

Accountability 52

Accountability Identity Theft Passwords Social Engineering 52

Malwarebytes

MAY 10, 2023

In a recent blog post , the tech giant introduced the option to create and use a safer, more convenient alternative to passwords: Passkeys , a form of digital credential. When a Google user logs in to their account using a passkey, Google checks if the website has a corresponding public key. Phishing and breach protection.

Passwords 94

Passwords Accountability Phishing Mobile 94

The Last Watchdog

JULY 24, 2023

Today, bad actors are ruthlessly skilled at cracking passwords – whether through phishing attacks, social engineering, brute force, or buying them on the dark web. In fact, according to Verizon’s most recent data breach report, approximately 80 percent of all breaches are caused by phishing and stolen credentials.

Authentication 245

Authentication Passwords Phishing Social Engineering 245

Duo's Security Blog

DECEMBER 14, 2023

A few days later, John finds himself locked out of his account, and quickly learns that the password reset link he clicked earlier did not come from his company. He took the steps needed to keep his account safe by following the directions from his IT team. Every day criminals send millions of phishing emails.

Social Engineering 111

Social Engineering Engineering Phishing Passwords 111

Digital Shadows

AUGUST 17, 2021

What is Phish(ing)? But, never mind the dozens of other reports and white papers about phishing that come out every year from security industry leaders, let’s take a look at the 2021 Verizon DBIR. Why should I care about Phish? The reason why phishing is still reigning supreme?

Phishing 52

Phishing Accountability Social Engineering Mobile 52

Security Affairs

FEBRUARY 24, 2020

Slickwraps has disclosed a data breach that impacted over 850,000 user accounts, data were accidentally exposed due to security vulnerabilities. Slickwraps is an online store that offers for sale skins mobile devices, laptops, smartphones, tablets, and gaming consoles. ” reported Slashgear. . ” reported Slashgear.

Accountability 95

Accountability Data breaches Passwords Advertising 95

Security Affairs

APRIL 20, 2023

The researchers from Google TAG are warning of Russia-linked threat actors targeting Ukraine with phishing campaigns. Russia-linked threat actors launched large-volume phishing campaigns against hundreds of users in Ukraine to gather intelligence and aimed at spreading disinformation, states Google’s Threat Analysis Group (TAG).

Phishing 88

Phishing Education Accountability Telecommunications 88

Malwarebytes

JULY 5, 2023

However, malvertising is also a great vehicle for phishing attacks which we usually see more often via spam emails. In this blog post, we review a recent phishing attack that was targeting both mobile and Desktop users looking up to track their packages via the United States Postal Service website. com super-trackings[.]com

Banking 97

Banking Phishing Scams Advertising 97

Security Affairs

APRIL 17, 2023

Typically, this type of tool would be used to hijack said services and use the infrastructure for mass spamming or opportunistic phishing campaigns.” The tools can also be used to implant webshells, perform brute-force attacks on CPanel or AWS accounts and send SMS messages to a list of dynamically-generated US mobile numbers.

Mobile 86

Mobile Hacking Malware Accountability 86

Malwarebytes

FEBRUARY 20, 2023

From the above linked Twitter blog post: While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers. Out of those, 74.4%

Authentication 92

Authentication Phishing Mobile Accountability 92

Security Affairs

APRIL 4, 2023

The attacker can also use the compromised accounts to carry out lateral phishing attacks and further infiltrate the target organizations TA473 targeted US elected officials and staffers since at least February 2023. The threat actors created bespoke JavaScript payloads designed for each government targets’ webmail portal.

Phishing 91

Phishing Spyware Government Passwords 91

Duo's Security Blog

JULY 7, 2023

A passkey is a phishing-resistant cryptographic keypair you register for web-based authentication. See the video at the blog post. Even if your administrators’ laptops do not have biometric support, admins can use their mobile phone as an authentication device without needing to download an app. What is a passkey?

Authentication 83

Authentication Passwords Mobile Password Management 83

Webroot

APRIL 3, 2024

In a world where our lives are increasingly navigated through digital apps and online accounts, understanding and managing our online identities has become paramount. Simply put, it’s the practice of ensuring that only authorized individuals have access to your sensitive information and online accounts.

VPN 83

VPN Passwords Scams Accountability 83

Webroot

OCTOBER 25, 2021

The respected technology blog TechRadar has even referred to 2021 as “the year of the Chromebook.”. Many third-party security solutions are designed to account for exactly this type of behavior. In 2020, phishing scams spiked by 510 percent between January and February alone.

Identity Theft 120

Identity Theft Spyware Phishing Antivirus 120

SecureWorld News

JANUARY 31, 2023

Mänôz summarized his findings in a blog post: "I discovered the lack of rate-limiting issue in Instagram which could have allowed an attacker to bypass two factor authentication on Facebook by confirming the targeted user's already-confirmed Facebook mobile number using the Meta Accounts Center."

Accountability 75

Accountability Authentication Mobile Phishing 75

Duo's Security Blog

MAY 23, 2023

In our previous two features, we covered the dangers of phishing (one method of credential compromise) and how to mitigate its impact on users. Types of stronger authenticators Biometrics and FIDO2 are both examples of stronger authenticators that can help to secure online accounts from the impacts of credential compromise.

Authentication 131

Authentication Passwords Data breaches Phishing 131

Thales Cloud Protection & Licensing

OCTOBER 25, 2023

Many organizations train employees to spot phishing emails, but few raise awareness of vishing phone scams. Most people are familiar with the term phishing, but not everyone knows about vishing. It is a type of fraudulent activity that falls under the general phishing category and aims to achieve the same objectives.

Social Engineering 83

Social Engineering Phishing Engineering Scams 83

The Last Watchdog

OCTOBER 24, 2022

Employees are the first line of defense against cybercrime and should understand how to recognize phishing emails and what to do if they suspect them. One of the best ways to increase employee security awareness is to provide frequent training and communication about the risks of phishing and other cyberattacks.

Passwords 214

Passwords Security Awareness Data breaches Cybersecurity 214

Duo's Security Blog

APRIL 19, 2022

From chat rooms, to emails, to bank accounts, to medical information, proving that someone is who they say they are is a continuously evolving challenge. However, recent trends show that bad actors are targeting organizations by using OTPs in phishing attacks. What is a One-Time Password? Deny any suspicious authorization request.

Passwords 96

Passwords Authentication Phishing Accountability 96

eSecurity Planet

SEPTEMBER 30, 2021

Underground services are cropping up that are designed to enable bad actors to intercept one-time passwords (OTPs), which are widely used in two-factor authentication programs whose purpose is to better protect customers’ online accounts. By using the services, cybercriminals can gain access to victims’ accounts to steal money.

Authentication 107

Authentication Social Engineering Phishing Banking 107

Security Boulevard

AUGUST 3, 2022

230 apps were leaking all four 0Auth authentication credentials and could be used to fully take over Twitter accounts to perform critical/sensitive actions. Some of those sensitive actions include reading Direct Messages, retweeting, deleting messages, liking messages, and getting account settings. Twitter API. The vulnerability.

Mobile 98

Mobile Authentication Accountability Identity Theft 98

Security Affairs

MAY 27, 2022

can target an increasing number of applications, passing from 378 to 467 target applications to steal account credentials and crypto-wallets. According to the experts, ERMAC is operated by threat actors behind the BlackRock mobile malware. is distributed rapidly through various phishing sites, primarily targeting Polish users.”

Banking 143

Banking Malware Cybercrime Phishing 143

Malwarebytes

JANUARY 31, 2022

The hijackers compromise the account, switch the picture to Elon, and then start spamming cryptocurrency links. Alternatively, they may keep the account as it is and spam images claiming Elon has approved a giveaway or something similar. Another tweet (now deleted) suggested people should send a direct message to the account.

Scams 90

Scams Cryptocurrency Accountability Phishing 90

Malwarebytes

JUNE 1, 2021

This blog post was authored by Hossein Jazi. On December 2020, KISA (Korean Internet & Security Agency) provided a detailed analysis about the phishing infrastructure and TTPs used by Kimsuky to target South Korea. Phishing Infrastructure. Figure 1: Phishing service model. microsoft-office[.]us microsoft-office[.]us.

Government 144

Government Phishing Encryption Media 144

Webroot

JUNE 2, 2022

A huge economy has developed within the gaming community: People buy and sell in-game objects, character modifications, and even accounts. Account takeovers. Bad actors are always on the lookout for easy-to-breach gaming accounts. Once stolen, they can resell an account or its contents to interested buyers.

Cyber threats 99

Cyber threats Social Engineering Accountability Malware 99

Duo's Security Blog

FEBRUARY 15, 2024

The benefit of these codes is that they are random numbers, so they can be difficult to guess, and they cannot be reused across a user’s different accounts (like passwords typically are). Phishing: An attacker sends a user a link to a fake website to capture the user’s username and password.

Social Engineering 114

Social Engineering Authentication Passwords Engineering 114