Attackers built convincing phishing sites impersonating Starbucks’ internal HR portal and used them to hijack 889 employee accounts, harvesting names, Social Security numbers, and financial account details over nearly a month.
Source: Bleeping Computer | DocumentCloud
Read more: CyberSecBrief
Cybercriminals are now chaining up to six layers of URL rewrites from vendors including Cisco, Sophos, and Barracuda to make phishing links appear to originate from trusted security platforms — and it’s working well enough to steal credentials and session tokens at scale.
Source: LevelBlue
Read more: CyberSecBrief
It is difficult to maintain objectivity in the face of international conflict. I am but a small voice, without much reach or influence, doing my best to deliver clear and concise educational reports across a spectrum of broadly related technological subjects. I try to maintain neutrality regarding the information I relay. Facts, not guesses, although the occasional one slips through from time to time. I frequently mention that part of my job is to find patterns and when I see one, I’ll say so. Furthermore, I am just one person, and can’t possibly cover everything that’s happening day to day. I usually choose a topic to talk about based on my own interest in it. I am often learning something even as I iterate it for you, my readers. Although relevance to current events certainly plays a role.
Today that relevance is how much of armed conflict has moved from physical battlegrounds to digital ones. This isn’t to say that’s it’s shifted entirely; air strikes, bombings and soldiers on the ground are still very much involved. But my focus is going to stick firmly to that which I am trained to talk about, namely the information security side.
This isn’t the first time I have broached the subject of cyber activity in relation to the US-Iranian conflict. Just a week ago I talked about a surge of hacktivism following the initial February 28th strikes. What’s emerged since appears to be opportunistic attacks against a variety of victims rather than any targeted effort to help or hinder a particular side of the war. More disruptive than destructive. Proofpoint has compiled a list of campaigns that they have observed in the last two weeks, and of them only a single one appears to be coming out of Iran itself. The rest either originate from other Middle Eastern nations or are aimed towards them. This is not espionage so much as chaos sowing. One could make the argument that this is a ruse and some underlying, not yet confirmed pattern does exist. Then again, that could just be my own zero trust factor speaking. The first rule of cyber analysis is to assume a breach, then set about proving or disproving it.
The campaigns are mostly comprised of phishing attempts against government officials. Embedded in the compromised emails are a Cobalt Strike loader, a Rust-based backdoor for command-and-control purposes, and credential harvesting malware, with one of the campaigns’ payloads being thus far unknown. Taken together they don’t look all that dangerous compared to the very real threat of missile barrages. But some of the most devastating data breaches happen from just one small incident. And the ability to remotely execute commands with the participants unaware that they’ve been hacked could make or break diplomacy when it’s happening to embassies and ministry leaders. Chaos indeed.
This conflict isn’t new; only this chapter of it is. There is an aspect of social engineering related to these campaigns, as well as topical interest since all eyes are pointed at the Middle East. They say crows follow an army, looking to scavenge. Threat actors, even state sanctioned ones, are not dissimilar. I’m sure more attacks of this nature will happen as this continues. I’ll be watching for them.
Posted, 3/12/26
iT4iNT SERVER Attackers Don’t Just Send Phishing Emails. They Weaponize Your SOC’s Workload http://dlvr.it/TRRrn9 VDS VPS Cloud
Malvertising, as defined by Wikipedia, is the use of online advertising to spread malware. The name is a portmanteau of ‘malicious advertising’, and it relies on social engineering and trust to deliver its payload, much like phishing schemes. It used to be more obvious, to the point where it was meme-able, the province of sidebar ads on explicit websites luring in the unwary with hot singles in one’s area or for performance enhancing pharmaceuticals. It still exists in banner and clickbait type ads, commonly promoting self help objects or special ‘deals’ for products. It’s a regular feature of many preinstalled casual game suites in Windows; my home computer’s antivirus software has blocked the pages of those ads from opening when accidentally clicked nearly every single time due to the URL’s being suspicious. To a degree, it’s targeted. The ones I see are aimed at a particular demographic, usually older people who may not be as savvy in noticing the falseness.
The web seems to be riddled with fake ads. Popups, compromised widgets and third party apps are all likely locations to find either self hosted malware or redirects to spoofed domains. And these days, many of them are targeted towards developers. There are two articles regarding the delivery of malware via spoofed websites on my news feed today. One is a ‘classic’ ClickFix campaign, tricking users into downloading an open source video editor containing a REMCOS Trojan through a faked CAPTCHA page. Pretty standard fare, as ClickFix campaigns go. The other one is a Claude AI clone that delivers an infostealer as its payload, and is the one I’ll be focusing on.
Spoofing is frequently the vehicle driving these campaigns, presenting a legitimate looking site during a search, as is the case with the Claude clone, which has been dubbed ‘InstallFix’ by Push Security. The malicious code is typically obfuscated. Push Security’s report states that the fake site is identical in every way to the real thing, and is only visible as malware if one hovers over the copy and paste command. Hence my often repeated warning against copying and pasting anything into a command line. You don’t know what it actually is. AI is a popular vector for compromise, since the agents offer less technically adept users a simplified way to utilize developer tools and is trendy to boot.
Push goes on to say that the copy/paste/run model is becoming the norm for developer software. Many packages, in a variety of coding languages, instruct their users to do it as part and parcel of installation. It is a framework based on trusting the domain, which is where a lot of these problems share a root cause. Despite numerous admonitions towards zero trust, security is rarely at the forefront of a user’s mind when faced with something flashy or there’s a deadline to meet. And threat actors are counting on that lack of vigilance.
InstallFix is distributed through Google ads, showing up in sponsored results when users are searching for ‘Claude Code’, ‘Claude Code install’, or ‘Claude Code CLI’. In the images Push shares in the article, not one of the top results actually goes to Anthropic, Claude’s parent company, and the only place one should be getting it from.
This in itself is part of the larger issue with social engineering and the degree to which our search engines have changed. Sponsored results are how many of these malvertising scams work. People see the first link and click on it without thinking, or even looking at the source. I’ve come across it myself in everything from social media to banking institutions to my phone provider. A few extra seconds to check the source of a site is all it takes not to click the wrong thing. Prevention is always going to be the best medicine, but remember if you get into trouble, your friendly neighborhood WISP is here to help.
Posted, 3/10/26
#ULKQHOERIPDNJM7S, #skull&crossbone_0003, #Keywords, #phishing, #usedballotforms, #tort,
Phishing is a type of online scam that targets people by sending them a message that appears to be from a well-known source, asking them to provide personal identifying information or payment information. [ I have flickr’s copy/link, if you are interested ]
?001_The first ref. From a well-known source, is using THE platforms, trademarked identification, e.g. “googlegooglespecialmail”. The reason for this that PRESENT trends of most platforms is that they “DO NOT LIST” any of their “activite_support_staff”, as to not id their use of simple ‘bot_responses”
?002_They allow to promote ”community_groups” that are NOT legally represented by the “company_policies”.
?003_Then there is the?.gov groups, that say that they are just checking?
?004_The obvious areas, is the EX_staff! They know or have access to 95% of the procedures/coding
?005_Then general hackers, “do you have £10.00”.
?006_BACKDOOR access, DO NOT NEED TO ASK YOU ANYTHING!
what is phishing…IF you ‘collect’ any platforms’ “FOLLOW_ME” usernames, you can simple analysis the NEXT “byte coin” surge! Generally the platforms do not wish you can analysis their data from an external environment. BUT, they will continue you to follow_without TRUE, CONTACT ref. details!
NOTE, GREAT naked photo, with GREAT beach area, FAV. Cafe & NO f’cking reference of a ?gps location!, IT is embedded into the devices
#h!.1*(NkM>j #Sunday #March8th2026, #time1530
Attackers are sending fake Home Front Command SMS messages to Israelis, tricking them into installing a trojanised Red Alert app that silently steals texts, contacts, location data, and device accounts.
Source: Acronis Threat Research Unit
Read more: CyberSecBrief
BoryptGrab hides inside SEO-boosted fake repositories for popular gaming tools and software, then silently drains browser passwords, crypto wallets, Telegram data, and Discord tokens — and in some cases opens a permanent backdoor on the victim’s machine.
Source: Trend Micro
Read more: CyberSecBrief
Large scale disruptions are rather few and far between. In the six months I’ve been writing these reports, only one or two come to mind compared to near constant campaigns and incursions. Part of this is because disruptions at scale take time and effort to coordinate on a ‘battlefield’ that’s always changing. But today I get to add another to their number. Europol, in conjunction with Microsoft, TrendAI™, CloudFlare, Coinbase, Crowell, eSentire, Health-ISAC, Intel471, Proofpoint, Resecurity, The Shadowserver Foundation, SpyCloud, and other law enforcement agencies have successfully seized over 300 domains associated with the phishing-as-a-service known as Tycoon2FA.
Threat actors such as Tycoon2FA are not attackers in their own right. Instead they provide man-in-the-middle type services, linking lesser skilled operators with effective toolkits that they don’t necessarily need to understand, since the service does all the work. In this case, that service is as a proxy in between attackers, their victims, and legitimate login pages. Once infiltration is successful, they harvest credentials, MFA codes, and session cookies in real time. That data is then sent back to the ‘client’ to replay when MFA is enabled to take over accounts. This can create a cascading effect beyond the original point of compromise, as stolen sessions and accounts can be reused, resold, and repurposed across multiple operations.
Trend Micro states that, at the time of yesterday’s report, Tycoon2FA had some two thousand users, with over 24,000 domains since its arrival on the scene in 2023. The platform operates at a large scale, providing a ready to use toolkit that requires little setup by those using it. Some versions include evasion features to make detection more difficult, like anti-bot screening, browser fingerprinting, heavy code obfuscation, self-hosted CAPTCHAs, custom JavaScript, and dynamic decoy pages.
In terms of financial damage, phishing does not compare to something like ransomware, but Trend Micro warns that it shouldn’t underestimated, since the tactic is widespread and often easily missed, since it requires the victim to take the bait to be initialized. They go on to say that operations like these are hard to track due to the very nature of phishing. The infrastructure, hosting, and victims involved are spread across many countries and networks, and need the cooperation of many levels of detection, analysis and legal authority to disrupt. Microsoft Threat Intelligence, who also published a report on this disruption, states that campaigns using Tycoon2FA have appeared across nearly all sectors including education, healthcare, finance, non-profit, and government. The platform enabled threat actors to impersonate trusted brands by mimicking sign-in pages for services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail. By stealing session cookies and MFA codes, persistence can be enacted even after passwords are reset unless explicitly revoked (when one clears their browser of all history and cookies, which is a good preventative measure to begin with).
While this disruption does not mitigate the damage done to already compromised victims, it does hinder subsequent attack campaigns. A coordinated effort involving tracking, analysis, and disruption efforts makes it harder for operations to rebuild and reuse tools, or move to a new platform without being noticed at least in the short to medium term by someone. Trend Micro, for instance, states that it will continue to monitor any activity that might resemble Tycoon2FA, while MTI offers a variety of tips for users to protect themselves now and in the future. Congrats to all those involved in this disruption, it was a lot of hard work and cooperation. I tip my hat to you all.
Posted, 3/5/26
PSA to everyone, this phishing shit is making rounds again
this is the image it sent me
as always
don’t fall for it, don’t go to any of the sites it tells you to go to. If it was really an issue, @tumblr would contact you via email. Tumblr is a big company. It wouldn’t be asking you to go to a third party site.
La ciberseguridad móvil enfrenta su mayor amenaza con el malware invisible que se infiltra en los dispositivos para drenar fondos de aplicaciones financieras. Ya no verás anuncios invasivos ni el teléfono se calentará de forma extraña por procesos en segundo plano; ahora, el ataque es quirúrgico y silencioso.
El código que “secuestra” la pantalla de tu smartphone
Lo que estamos viendo con…
Ciberseguridad móvil y malware invisible: el troyano bancario
BRO THE SCAMMERS KEEP FINDING MEEEEE 💔💔💔💔💔💔💔
I wanna be funny and say this is ableism but im genuinely on the spectrum and get anxiety attacks if I cannot tell if something someone i saying to me thats serious is real or fake as I take everything literally. So broooo im fighting for my life in my DMS again ❤️
I think this account might be a scammer. The account was made just this month, March 2026 and did only sonic reblog. I blocked the person and made a report. I have also changed my password.
Just so you, I , also-known-as-zeaf has never asked for comission nor do I do commision.
Be careful. If someone message you and then they said they erronously made a report about you, it is a scammer or a phiser. Do not reply to their messages
OKAY Y’ALL ⭐️⭐️
So, this is my old account. I was scammed just today, and lost $60 to someone who now has my account. If you follow me, please switch to this one!!
All I do is post art, I dont ask people for money on this site.
For those who know what phishing is, you can skip this. If not, in short:
"an attempt to trick you into taking action or giving out information by pretending to be someone else or making a situation seem serious, using fear, time pressure, and authority (like a supposed email from a service) to make you do something you normally wouldn’t”
I had such a situation, and honestly, I got scared. It looked very “official” – a supposed email, logos, official-looking design, and all that. I was very stressed and panicked, but then I remembered this motto:
“Not everything you see and hear is 100% true; there’s always 50% untruth”
So I calmly pushed it aside and checked everything carefully. Of course, I didn’t click any links he sent me, and you shouldn’t either if you ever find yourself in a similar situation.
I didn’t receive any email – no official message from Tumblr. If it had been real, I probably would have received one.
(Of course, not every blog should be judged like this – this was MY situation; always stay alert!!)
Then I checked the profile of the person who sent me the message. They had about 14 posts (all reblogs), completely random without tags or description, nothing at all. If there were silly jokes, that might be okay, but all the posts had been reblogged almost at the same time. The blog description was huge and… kind of irrelevant to the blog.
I also checked with ChatGPT, sending a screenshot of our conversation and the screenshot of the email he sent me. ChatGPT said it was a scam. Then I checked more thoroughly online, and indeed, it was a scam.
In short: if someone messages you saying they accidentally reported you or something similar and sends a screenshot of a supposed email, stay calm and carefully check the information – do NOT click any links!
If there’s time pressure – like “you have 5 hours to respond” or “this matter is with the police,” mentions of important people from Tumblr moderation or any other site you are on, or claims that they have to contact you personally – it’s fake.
Official emails from Tumblr come directly to your email, they do not threaten police action or give time limits. Before taking any action, they carefully review the situation.
Most importantly: if you haven’t done anything wrong and have a clear conscience, why worry? You didn’t do anything bad, there’s no evidence, and even if someone tries to scare you, the platform will carefully check everything. Nothing truly disappears from the internet.
Don’t be afraid to ask for help from trusted people or moderation – that’s what moderation is for. Nothing bad will happen if you report something suspicious or ask questions.
“Even if the police came to check the situation, you haven’t done anything wrong. You won’t magically get in trouble if someone accidentally reported you.”
Please reblog this post, maybe it will help someone somehow.
Cybercriminals are exploiting Google Firebase and Translate in a massive GTFire campaign, tricking users worldwide into handing over login credentials.
Source: Group-IB
Read more: CyberSecBrief
