Krebs on Security

AUGUST 30, 2022

A recent spate of SMS phishing attacks from one cybercriminal group has spawned a flurry of breach disclosures from affected companies, which are all struggling to combat the same lingering security threat: The ability of scammers to interact directly with employees through their mobile devices. In an Aug.

Mobile 340

Mobile Phishing Authentication Accountability 340

Krebs on Security

NOVEMBER 6, 2018

that has been tracking down individuals engaged in unauthorized “SIM swaps” — a complex form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims. That’s just too risky for the attackers, he said.

Mobile 275

Mobile Cryptocurrency Accountability Passwords 275

Krebs on Security

SEPTEMBER 29, 2021

.” Many websites now require users to supply both a password and a numeric code/OTP token sent via text message, or one generated by mobile apps like Authy and Google Authenticator. agency — advertised a web-based bot designed to trick targets into giving up OTP tokens.

Passwords 343

Passwords Mobile Authentication Banking 343

Krebs on Security

NOVEMBER 4, 2021

Louis Morton , a security professional based in Fort Worth, Texas, forwarded an SMS phishing or “smishing” message sent to his wife’s mobile device that indicated a package couldn’t be delivered. com — from a desktop web browser redirects the visitor to a harmless page with ads for car insurance quotes. .”

Phishing 336

Phishing Scams Mobile DNS 336

Krebs on Security

OCTOBER 13, 2021

In each case, the phishers manually would push a button that caused the phishing site to ask visitors for more information, such as the one-time password from their mobile app. Armed with the target’s mobile number, they could also click “Send verification SMS” with a text message prompting them to text back a one-time code.

Passwords 363

Passwords Phishing Accountability Mobile 363

Krebs on Security

JANUARY 30, 2024

In each attack, the victims saw their email and financial accounts compromised after suffering an unauthorized SIM-swap, wherein attackers transferred each victim’s mobile phone number to a new device that they controlled. Prosecutors say Noah Michael Urban of Palm Coast, Fla.,

Social Engineering 358

Social Engineering Mobile Passwords Cybercrime 358

Krebs on Security

AUGUST 3, 2023

Researchers say mobile malware purveyors have been abusing a bug in the Google Android platform that lets them sneak malicious code into mobile apps and evade security scanning tools. At issue is a mobile malware obfuscation method identified by researchers at ThreatFabric , a security firm based in Amsterdam.

Mobile 244

Mobile Malware Banking Cybercrime 244

Krebs on Security

FEBRUARY 8, 2021

Brad Marden , superintendent of cybercrime operations for the Australian Federal Police (AFP), said their investigation into who was behind U-Admin began in late 2018, after Australian citizens began getting deluged with phishing attacks via mobile text messages that leveraged the software.

Phishing 340

Phishing Scams Banking Mobile 340

Krebs on Security

APRIL 28, 2020

But in a phone interview with KrebsOnSecurity earlier this week, Jim made a call to Citi’s automated system from his mobile phone on file with the bank, and I could hear Citi’s systems asking him to enter the last four digits of his credit card number before he could review recent transactions.

Scams 363

Scams Banking Accountability Financial Services 363

Krebs on Security

FEBRUARY 4, 2021

Usually, this is a mobile app that generates a one-time code, but some sites like Twitter and Facebook now support even more robust options — such as physical security keys. SIM swapping involves convincing mobile phone company employees to transfer ownership of the target’s phone number to a device the attackers control.

Accountability 327

Accountability Hacking Media Mobile 327

Krebs on Security

JUNE 22, 2023

Attempts to visit these domains with a web browser failed, but loading them in a mobile device (or in my case, emulating a mobile device using a virtual machine and Developer Tools in Firefox ) revealed the first stage of this smishing attack. The site would only load in a mobile browser.

Phishing 326

Phishing Retail Mobile Scams 326

Krebs on Security

AUGUST 25, 2021

In those cases, the plaintiffs have sought to extract compensation for their losses from the mobile phone companies — but so far those lawsuits have largely failed to yield results and are often pushed into arbitration.

Cryptocurrency 362

Cryptocurrency Malware Mobile Accountability 362

Krebs on Security

SEPTEMBER 28, 2021

The new $30 AirTag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owner’s phone number if the AirTag has been set to lost mode.

Mobile 349

Mobile Phishing Malware Software 349

Krebs on Security

APRIL 12, 2022

One incident described in an affidavit by prosecutors (PDF) appears related to the sale of tens of millions of consumer records stolen last year from T-Mobile , although the government refers to the victim only as a major telecommunications company and wireless network operator in the United States.

Government 262

Government Identity Theft Mobile Data breaches 262

Krebs on Security

AUGUST 18, 2022

It’s no accident that one of the most prolific scams going right now — the Zelle Fraud Scam — starts with a text message about an unauthorized payment that appears to come from your bank.

Scams 340

Scams Phishing Accountability Software 340

Krebs on Security

AUGUST 23, 2024

Caturegli said he knows this because he “defensively” registered local.ad, which he said is currently used by multiple large organizations for Active Directory setups — including a European mobile phone provider, and the City of Newcastle in the United Kingdom. and schema.ad.

DNS 327

DNS Internet Internet Authentication 327

Krebs on Security

SEPTEMBER 2, 2024

The call would prompt the target to enter a one-time passcode generated by their phone’s mobile app, and the code was then relayed to the scammer’s user panel at the OTP Agency website. A statement published Aug. 30 by the U.K.’s

Accountability 310

Accountability Banking Passwords Scams 310

Krebs on Security

NOVEMBER 17, 2020

An increasing number of websites are asking visitors to approve “notifications,” browser modifications that periodically display messages on the user’s mobile or desktop device.

Antivirus 358

Antivirus Advertising Internet Internet 358

Krebs on Security

JANUARY 13, 2020

Past stories here have examined how scammers working with organized gangs try to phish iCloud credentials from Apple customers who have a mobile device that is lost or stolen. Today’s piece looks at the well-crafted links used in some of these lures.

Phishing 281

Phishing Scams Mobile Encryption 281

Krebs on Security

DECEMBER 13, 2022

USDoD told KrebsOnSecurity their phony application was submitted in November in the CEO’s name, and that the application included a contact email address that they controlled — but also the CEO’s real mobile phone number. “I wasn’t expected to be approve[d].”

Hacking 363

Hacking Energy and Utilities Cybercrime Accountability 363

Krebs on Security

SEPTEMBER 18, 2024

com show this user’s PC became infected immediately after they downloaded a booby-trapped mobile application development toolkit. Malware purveyors will often deploy infostealer malware by bundling it with “cracked” or pirated software titles. Indeed, the stealer logs for the administrator of apkdownloadweb[.]com

Scams 64

Scams DNS Internet Internet 64

Krebs on Security

AUGUST 9, 2021

This is all meant to be a big joke: Krebs means “crab” or “cancer” in German, but a “crab” is sometimes used in Russian hacker slang to refer to a “carder,” or a person who regularly engages in street-level credit card fraud. Like Mitch.

Phishing 362

Phishing Cybercrime Accountability Advertising 362

Krebs on Security

NOVEMBER 16, 2022

Look carefully, and you’ll notice small dots beneath the “a” and the second “e” You could be forgiven if you mistook one or both of those dots for a spec of dust on your computer screen or mobile device.

Malware 336

Malware Banking Phishing DDOS 336

Krebs on Security

FEBRUARY 26, 2023

Many companies now require employees to supply a one-time password — such as one sent via SMS or produced by a mobile authenticator app — in addition to their username and password when logging in to company assets online.

Hacking 330

Hacking Social Engineering Phishing Scams 330

Krebs on Security

SEPTEMBER 5, 2023

Importantly, none appeared to have suffered the sorts of attacks that typically preface a high-dollar crypto heist, such as the compromise of one’s email and/or mobile phone accounts. Monahan said virtually all of the victims she has assisted were longtime cryptocurrency investors, and security-minded individuals.

Cryptocurrency 361

Cryptocurrency Passwords Encryption Accountability 361

Krebs on Security

FEBRUARY 25, 2021

requires applicants to supply a great deal more information than previously requested by the states, such as images of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service. To screen out fraudsters, ID.me

Scams 335

Scams Insurance DDOS Authentication 335

Krebs on Security

JANUARY 9, 2023

The bureaus pitch these credit lock services as a way for consumers to easily toggle their credit file availability with push of a button on a mobile app, but they do little to prevent the bureaus from continuing to sell your information to others. My advice: Ignore the lock services, and just freeze your credit files already.

Identity Theft 351

Identity Theft Accountability Authentication Web Fraud 351

Krebs on Security

JULY 25, 2023

And a great many of these “proxy” networks are marketed primarily to cybercriminals seeking to anonymize their traffic by routing it through an infected PC, router or mobile device. “The best way to secure the transmissions of your mobile device is VPN,” reads HideIPVPN’s description on the Apple Store.

Malware 244

Malware VPN Internet Internet 244

Krebs on Security

SEPTEMBER 26, 2024

The government believes the brains behind Joker’s Stash is Timur Kamilevich Shakhmametov , an individual who is listed in Russian incorporation documents as the owner of Arpa Plus , a Novosibirsk company that makes mobile games. ru , which periodically published hacking tools and exploits for software vulnerabilities.

Cryptocurrency 308

Cryptocurrency Cybercrime Retail Government 308

Krebs on Security

OCTOBER 25, 2018

Earlier this month, Tokazowski was given the JD Falk award by the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) for his efforts in building and growing the BEC List (loyal readers here may recognize the M3AAWG name: KrebsOnSecurity received a different award from M3AAWG in 2014 ).

Scams 241

Scams Accountability Media Banking 241

Krebs on Security

JULY 21, 2022

“It’s important to be able to mobilize quickly and know how to freeze and seize crypto and get it back to its rightful owner,” West said. “We definitely have made seizures in cases involving pig butchering, but we haven’t gotten that back to the rightful owners yet.”

Scams 328

Scams Cryptocurrency Marketing Internet 328

Security Boulevard

MAY 19, 2021

Many online services allow users to reset their passwords by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over one thanks to a divorce, job termination or financial crisis can be devastating.

Mobile 52

Mobile Wireless Financial Services Passwords 52

Krebs on Security

FEBRUARY 18, 2025

But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores. And they are not traditional SMS phishing or “ smishing ” messages, as they bypass the mobile networks entirely.

Phishing 298

Phishing Mobile Scams Banking 298

Security Boulevard

MARCH 31, 2022

On Tuesday, KrebsOnSecurity warned that hackers increasingly are using compromised government and police department email accounts to obtain sensitive customer data from mobile providers, ISPs and social media companies. Today, one of the U.S.

Mobile 52

Mobile Media Government Accountability 52

Security Boulevard

SEPTEMBER 28, 2021

The new $30 Airtag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owner's phone number if the Airtag has been set to lost mode.

Mobile 52

Mobile Phishing Web Fraud 52

Krebs on Security

FEBRUARY 28, 2023

Image: Shutterstock.com Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests. Each advertises their claimed access to T-Mobile systems in a similar way. ” or “ Tmo up!

Mobile 338

Mobile Phishing Authentication Advertising 338

Security Boulevard

APRIL 12, 2022

The DOJ also charged the alleged administrator of RaidForums -- 21-year-old Diogo Santos Coelho, of Portugal -- with six criminal counts, including conspiracy, access device fraud and aggravated identity theft.

Identity Theft 52

Identity Theft Data breaches Cybercrime Web Fraud 52