Krebs on Security

NOVEMBER 1, 2024

This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. KrebsOnSecurity last week heard from a reader whose close friend received a targeted phishing message within the Booking mobile app just minutes after making a reservation at a California.

Phishing 273

Phishing Accountability Artificial Intelligence Cybercrime 273

Krebs on Security

OCTOBER 13, 2021

A recent phishing campaign targeting Coinbase users shows thieves are getting cleverer about phishing one-time passwords (OTPs) needed to complete the login process. A Google-translated version of the now-defunct Coinbase phishing site, coinbase.com.password-reset[.]com. The Coinbase phishing panel.

Passwords 363

Passwords Phishing Accountability Mobile 363

Krebs on Security

JANUARY 7, 2020

Late last year saw the re-emergence of a nasty phishing tactic that allows the attacker to gain full access to a user’s data stored in the cloud without actually stealing the account password. The phishing lure starts with a link that leads to the real login page for a cloud email and/or file storage service.

Phishing 292

Phishing Passwords Accountability Authentication 292

Krebs on Security

NOVEMBER 21, 2024

A visual depiction of the attacks by the SMS phishing group known as Scattered Spider, and Oktapus. The targeted SMS scams asked employees to click a link and log in at a website that mimicked their employer’s Okta authentication page. Image: Amitai Cohen twitter.com/amitaico. com and ouryahoo-okta[.]com. Click to enlarge.

Identity Theft 265

Identity Theft Phishing Cryptocurrency Accountability 265

Security Affairs

NOVEMBER 29, 2024

Phishing tool Rockstar 2FA targets Microsoft 365 credentials, it uses adversary-in-the-middle (AitM) attacks to bypass multi-factor authentication. Trustwave researchers are monitoring malicious activity associated with Phishing-as-a-Service (PaaS) platforms, their latest report focuses on a toolkit called Rockstar 2FA.

Phishing 116

Phishing Accountability Authentication Advertising 116

Malwarebytes

MAY 2, 2025

If there is a cybersecurity themed day that we would like to get rid as soon as possible its world password day. To quote Microsoft : As the world shifts from passwords to passkeys, were excited to join the FIDO Alliance in leaving World Password Day behind to celebrate the very first World Passkey Day.

Passwords 87

Passwords Password Management Authentication Accountability 87

Security Affairs

FEBRUARY 16, 2025

Russia-linked group Storm-2372 used the device code phishing technique since Aug 2024 to steal login tokens from governments, NGOs, and industries. ” Device code phishing attacks exploit authentication flows to steal tokens, granting attackers access to accounts and data. ” continues the report.

Phishing 118

Phishing Authentication Telecommunications Accountability 118

Troy Hunt

AUGUST 30, 2023

They'd observed a phishing campaign that had collected 68k credentials from unsuspecting victims and asked if HIBP may be used to help alert these individuals to their exposure. Last week I was contacted by CERT Poland. Data accumulated by the malicious activity spanned from October 2022 until just last week.

Phishing 363

Phishing Password Management Passwords Banking 363

Krebs on Security

SEPTEMBER 29, 2021

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. An ad for the OTP interception service/bot “SMSRanger.”

Passwords 343

Passwords Mobile Authentication Banking 343

Malwarebytes

MARCH 26, 2025

A new phishing campaign that uses the fake CAPTCHA websites we reported about recently is targeting hotel staff in a likely attempt to access customer data, according to research from ThreatDown. Use a different password for every online account. Choose a strong password that you dont use for anything else.

Phishing 125

Phishing Malware Passwords Password Management 125

Thales Cloud Protection & Licensing

MAY 7, 2025

Phishing-Resistant MFA: Why FIDO is Essential madhav Thu, 05/08/2025 - 04:47 Phishing attacks are one of the most pervasive and insidious threats, with businesses facing increasingly sophisticated and convincing attacks that exploit human error.

Phishing 71

Phishing Authentication Passwords Social Engineering 71

eSecurity Planet

FEBRUARY 10, 2025

In a stark warning to organizations and everyday users alike, cybersecurity experts and government agencies have sounded the alarm over a new breed of Gmail-targeted phishing attacks. AI-Enhanced Cyberthreats Recent intelligence indicates that the sophistication of Gmail phishing campaigns has reached new heights.

Phishing 113

Phishing Artificial Intelligence Password Management Accountability 113

Malwarebytes

FEBRUARY 13, 2025

Phishers are using AI-based phishing attacks which have proven to raise the effectiveness of phishing campaigns. Around the same time, users receive legitimate looking emails from what appears to be an authentic Google domain to add credibility to what the caller is claiming to have happened.

Phishing 110

Phishing Artificial Intelligence Identity Theft Accountability 110

SecureWorld News

APRIL 28, 2025

The phishing game has evolved into synthetic sabotage a hybrid form of social engineering powered by AI that can personalize, localize, and scale attacks with unnerving precision. The quiet revolution of phishing-as-a-service (PhaaS) If you haven't noticed by now, phishing has gone SaaS. For phishing, this is a gold mine.

Phishing 100

Phishing Social Engineering Engineering Data breaches 100

Krebs on Security

MARCH 31, 2020

A spear-phishing attack this week hooked a customer service employee at GoDaddy.com , the world’s largest domain name registrar, KrebsOnSecurity has learned. 49 (that domain is hobbled here because it is currently flagged as hosting a phishing site). It was starting to look like someone had gotten phished.

Phishing 343

Phishing DNS Social Engineering Accountability 343

Krebs on Security

MAY 7, 2022

Apple , Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. “I worry about forgotten password recovery for cloud accounts.”

Passwords 270

Passwords Authentication Accountability Mobile 270

Security Affairs

NOVEMBER 29, 2024

Phishing tool Rockstar 2FA targets Microsoft 365 credentials, it uses adversary-in-the-middle (AitM) attacks to bypass multi-factor authentication. Trustwave researchers are monitoring malicious activity associated with Phishing-as-a-Service (PaaS) platforms, their latest report focuses on a toolkit called Rockstar 2FA.

Phishing 95

Phishing Accountability Authentication Advertising 95

SecureWorld News

MAY 1, 2025

As we celebrate World Password Day on May 1st, it's clear that traditional password trickslike swapping "a" with "@" or adding an exclamation point at the endare no longer fooling hackers. Hackers today can guess common patterns and character swaps in mere seconds, leaving those "clever" passwords vulnerable.

Passwords 71

Passwords Password Management Authentication Mobile 71

Krebs on Security

APRIL 30, 2025

Buchanan was arrested in Spain last year on a warrant from the FBI, which wanted him in connection with a series of SMS-based phishing attacks in the summer of 2022 that led to intrusions at Twilio, LastPass, DoorDash, Mailchimp, and many other tech firms. A Scattered Spider/0Ktapus SMS phishing lure sent to Twilio employees in 2022.

Identity Theft 192

Identity Theft Phishing Cryptocurrency Cybercrime 192

Daniel Miessler

MARCH 10, 2022

People are starting to get the fact that texts (SMS) are a weak form of multi-factor authentication (MFA). In that post we talked about 8 levels of password security, starting from using shared and weak passwords and going all the way up to passwordless. The answer is remarkably simple, actually— phishing.

Authentication 364

Authentication Phishing Passwords Accountability 364

The Last Watchdog

JULY 24, 2023

Accessing vital information to complete day-to-day tasks at our jobs still requires using a password-based system at most companies. Today, bad actors are ruthlessly skilled at cracking passwords – whether through phishing attacks, social engineering, brute force, or buying them on the dark web. Some solutions do this today.

Authentication 245

Authentication Passwords Phishing Social Engineering 245

The Last Watchdog

DECEMBER 6, 2021

For IT leaders, passwords no longer cut it. This traditional authentication method is challenging to get rid of, mostly because it’s so common. Every new account you sign up for, application you download, or device you purchase requires a password. Lowering password use. So why are they still around?

Authentication 251

Authentication Passwords Mobile Phishing 251

Security Affairs

APRIL 22, 2025

. “There has been a sharp increase in the number of cases of unauthorized access and unauthorized trading (trading by third parties) on Internet trading services using stolen customer information (login IDs, passwords, etc.) from fake websites (phishing sites) disguised as websites of real securities companies.”

Financial Services 123

Financial Services Passwords Accountability Antivirus 123

Malwarebytes

FEBRUARY 7, 2025

Post by emirking A translation of the Russian statement by the poster says: When I realized that OpenAI might have to verify accounts in bulk, I understood that my password wouldnt stay hidden. The statement suggests that the cybercriminal found access codes which could be used to bypass the platform’s authentication systems.

Accountability 138

Accountability Phishing Passwords Authentication 138

Malwarebytes

FEBRUARY 25, 2025

If you find an app from this family or another information stealer on your device, there are a few guidelines to follow to limit the damage: Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you dont use for anything else. Enable two-factor authentication (2FA).

Passwords 145

Passwords Password Management Phishing Authentication 145

Krebs on Security

JUNE 15, 2024

.” In a SIM-swapping attack, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for authentication, or password reset links sent via SMS. A Scattered Spider phishing lure sent to Twilio employees.

Hacking 342

Hacking Cybercrime Phishing Passwords 342

Krebs on Security

APRIL 3, 2024

Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called “ The Manipulaters ,” a sprawling web hosting network of phishing and spam delivery platforms. Manipulaters advertisement for “Office 365 Private Page with Antibot” phishing kit sold on the domain heartsender,com.

Phishing 295

Phishing Cybercrime Malware Advertising 295

Jane Frankland

MAY 16, 2025

MFA Bypass Methods: SIM swaps, malware, or phishing sites that trick you into revealing or approving access. Auto-fill Exploits: A small but critical sign when your password manager doesnt autofill it might be a scam site. Avoid reusing passwords across different services. You might think, Why didnt I stop there?

Scams 130

Scams Password Management Passwords Banking 130

Thales Cloud Protection & Licensing

JANUARY 31, 2025

Level Up Your Security: Embrace Passkeys and Phishing-Resistant 2FA andrew.gertz@t Fri, 01/31/2025 - 15:17 Celebrate Change Your Password Day and 2FA Day by embracing passkeys and phishing-resistant 2FA. Learn why these modern security practices are essential for safer, stronger authentication. But it has had its day.

Phishing 62

Phishing Passwords Password Management Authentication 62

Malwarebytes

APRIL 24, 2025

Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you dont use for anything else. Better yet, let a password manager choose one for you. Enable two-factor authentication (2FA). 2FA that relies on a FIDO2 device cant be phished.

Insurance 121

Insurance Data breaches Passwords Phishing 121

Krebs on Security

AUGUST 17, 2023

You’ve probably never heard of “ 16Shop ,” but there’s a good chance someone using it has tried to phish you. A 16Shop phishing page spoofing Apple and targeting Japanese users. Image: Akamai.com. The INTERPOL statement says the platform sold hacking tools to compromise more than 70,000 users in 43 countries.

Phishing 241

Phishing Passwords Internet Internet 241

eSecurity Planet

NOVEMBER 6, 2024

Though cookies themselves don’t steal passwords, they can be hijacked to access sensitive data. Attackers can steal your cookies through phishing, malware, and MITM attacks, leading to data theft, financial loss, and identity theft. Initial Attack Vector Attackers might send phishing emails or create fake websites.

Identity Theft 109

Identity Theft Passwords Phishing Accountability 109

Krebs on Security

FEBRUARY 26, 2023

But it’s worth revisiting how this group typically got in to targeted companies: By calling employees and tricking them into navigating to a phishing website. But we do know the March 2020 attack was precipitated by a spear-phishing attack against a GoDaddy employee. In a filing with the U.S.

Hacking 330

Hacking Social Engineering Phishing Scams 330

Malwarebytes

JANUARY 27, 2025

Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you dont use for anything else. Better yet, let a password manager choose one for you. Enable two-factor authentication (2FA). 2FA that relies on a FIDO2 device cant be phished.

Data breaches 130

Data breaches Healthcare Passwords Insurance 130

Malwarebytes

APRIL 8, 2025

By purchasing prominent Google Ads, they are creating highly convincing fake login pages designed to pilfer sensitive information, including usernames, passwords, and even one-time passcodes (OTPs) the keys to someone’s financial data needed for tax compliance.

Phishing 86

Phishing Scams Accountability Passwords 86

Krebs on Security

JULY 29, 2021

Every time there is another data breach, we are asked to change our password at the breached entity. Our continued reliance on passwords for authentication has contributed to one toxic data spill or hack after another.

Passwords 363

Passwords Password Management Phishing Scams 363

Malwarebytes

APRIL 28, 2025

This incident echoes a previous Cybernews investigation that found WebWork, another remote team tracker, leaked over 13 million screenshots containing emails, passwords, and other sensitive work data. Change the passwords that may have been seen. You can make a stolen password useless to thieves by changing it.

Passwords 95

Passwords Phishing Spyware Password Management 95