

⚠️⚠️⚠️ À faire tourner, surtout auprès des nouvelles et nouveaux de Mastodon ⚠️⚠️⚠️
Depuis quelques jours, des messages de phishing circulent ici, prétendant être émis par "la modération de Mastodon" et indiquant que "votre compte est suspendu", avec un lien pour "débloquer le compte". ‼️‼️
C'est bien évidemment une arnaque, mais j'ai vu des messages de gens en panique face à ça.
Alors, faites tourner l'info, signalez ces comptes, rassurez les gens 😊😊😊
#arnaque #phishing

🔔🔔 Complément d'informations sur la moderation 🔔🔔
Mastodon moderation team et Mastodon support team n'existent pas.
Personne ne modère Mastodon dans son intégralité.
La modération est opérée par chaque instance, selon ses règles propres.
Si d'aventure votre compte devait être suspendu, VOUS SERIEZ AVERTI PAR MAIL, et non via un message sur Mastodon
#arnaque #phishing

ClickFix lures users by displaying bogus error messages followed by quick fix instructions, including copy-pasting malicious code. Running the code in the victim’s command line interpreter delivers malware such as #RATs, infostealers, and cryptominers.
Between H2 2024 and H1 2025, ESET’s detection for ClickFix, HTML/FakeCaptcha, skyrocketed by 517%. Most detections in ESET telemetry were reported from Japan (23%), Peru (6%), and Poland, Spain, and Slovakia (>5% each).
What makes #ClickFix so effective? The fake error message looks convincing; instructions are simple, yet the copied command is too technical for most users to understand. Pasting it into cmd leads to compromise with final payloads, including #DarkGate or #LummaStealer.
While #ClickFix was introduced by cybercriminals, it’s since been adopted by APT groups: Kimsuky, Lazarus; Callisto, Sednit; MuddyWater; APT36. NK-aligned actors used it to target developers, steal crypto and passwords from Metamask and #macOS Keychain.
#ClickFix uses psychological manipulation by presenting fake issues and offering quick solutions, which makes it dangerously efficient. It appears in many forms – error popups, email attachments, fake reCAPTCHAs – highlighting the need for greater vigilance online.
Read more in the #ESETThreatReport:
🔗 https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025

People are more likely, not less, to smell something fishy if they see a random string of digits when they expect the name of a site they trust.
If this is the only argument against certificates for IP addresses, I think we’re good.
Experienced users like you and I know to hover over links, check certificate info, or inspect the address bar. But many users don’t do that — or worse, they click links without verifying anything. According to the Verizon DBIR and other phishing studies, this is still one of the top attack vectors today.
Also, I don’t think the article was arguing against IP certs outright — just highlighting that, like with any new capability, there's potential for abuse that the broader public (and infosec community) should be aware of.

If you get an email from a big company saying you're a match for a job, and then asks you to log in using Facebook, you're staring down the barrel of a scam. https://www.pickr.com.au/news/2025/scammers-turn-to-fake-job-emails-and-fake-facebook-what-to-do #howto #news #online #internetsecurity #mcafee #phishing #scams