WhatsApp users targeted in account takeover attack dubbed GhostPairing

The "GhostPairing Attack" is a social engineering campaign that exploits WhatsApp's device pairing feature by tricking victims into entering WhatsApp authentication codes via fake Facebook pages, authorizing attackers' browsers as linked devices with full access to messages and contacts. Most victims remain unaware that they have been compromised and their WhatsApp account becomes a vector to scam others.

**Never trust unexpected cryptic messages on your messaging platforms, even from contacts you trust, especially if they have links or phone numbers to call. They are most probably phishing. Check your WhatsApp Settings → Linked Devices and remove any sessions you don't recognize.**
#cybersecurity #infosec #scam #phishing #activephishing
https://beyondmachines.net/event_details/whatsapp-users-targeted-in-account-takeover-attack-dubbed-ghostpairing-n-a-y-8-j/gD2P6Ple2L

WhatsApp users targeted in account takeover attack dubbed GhostPairing

The "GhostPairing Attack" is a social engineering campaign that exploits WhatsApp's device pairing feature by tricking victims into entering WhatsApp authentication codes via fake Facebook pages, authorizing attackers' browsers as linked devices with full access to messages and contacts. Most victims remain unaware that they have been compromised and their WhatsApp account becomes a vector to scam others.

**Never trust unexpected cryptic messages on your messaging platforms, even from contacts you trust, especially if they have links or phone numbers to call. They are most probably phishing. Check your WhatsApp Settings → Linked Devices and remove any sessions you don't recognize.**
#cybersecurity #infosec #scam #phishing #activephishing
https://beyondmachines.net/event_details/whatsapp-users-targeted-in-account-takeover-attack-dubbed-ghostpairing-n-a-y-8-j/gD2P6Ple2L

Phishingversuch bei Outfittery: Datenleck beim Kleiderversand?

Der Berliner Kleidungsversand bat Kunden um eine Aktualisierung ihrer Zahlungsdaten. Der Link in der E-Mail führte jedoch auf eine Phishing-Seite.

https://www.heise.de/news/Phishingversuch-bei-Outfittery-Datenleck-beim-Kleiderversand-11119889.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#Datenleck #IT #Phishing #Security #Wirtschaft #news

Phishingversuch bei Outfittery: Datenleck beim Kleiderversand?

Der Berliner Kleidungsversand bat Kunden um eine Aktualisierung ihrer Zahlungsdaten. Der Link in der E-Mail führte jedoch auf eine Phishing-Seite.

https://www.heise.de/news/Phishingversuch-bei-Outfittery-Datenleck-beim-Kleiderversand-11119889.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#Datenleck #IT #Phishing #Security #Wirtschaft #news

Telekom startet System gegen Betrugsanrufe

Jemand ruft an, die Nummer ist nicht eingespeichert. Man geht ran und lässt sich in ein Gespräch verwickeln. Das ist meist keine gute Idee.

https://www.heise.de/news/Telekom-startet-System-gegen-Betrugsanrufe-11117623.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#Kriminalität #Cybersecurity #DeutscheTelekom #IT #Mobiles #Phishing #Security #news

As mentioned in the first post the #Phishing use a very long sender to hide the sender domain.

But how the senders are structured is also intentional to play tricks on our brain in two different ways:

The senders pretend to be from HR (matching the expectations).

The senders contain a "noreply" priming us for non-human email address

Some of the senders used an additional trick.
Their from-addresses look like a team meeting link. Triggering our pattern recognition and tricking our brain into thinking "I know what this is. Therefore, I don't need to think about it"

It might surprise you but the local part of an email address (the stuff before the @) can be basically anything (including case sensitive)

More here https://haacked.com/archive/2007/08/21/i-knew-how-to-validate-an-email-address-until-i.aspx/

Checking the PDF properties reveals some other suspicious details:

PDF creator: wkhtmltopdf 0.12.6
PDF producer: Qt 4.8.7

wkhtmltopdf is command line tools to render HTML into PDF using the QT Webkit rendering engine.

Which would be a strange tool for typical HR systems creating these kinds of messages.

The identical PDF creator suggests that, if it's not the same group behind the attacks, they at least seem to use the same tooling.

#Phishing

The use of the QR code has another advantage for the attackers. While the targets received the email on their (hopefully) well protected company device. They will quit likely use their (private) mobile phone to scan the QR code

Which essentially circumvents all enterprise security measures

#Phishing

Nothing spectacular here

Two of these attacks were empty messages containing a branded PDF.

The PDFs contained very appreciative messages:

Examples:
"We are pleased to inform you that, effective 01 January 2026, your base salary will be adjusted. This adjustment recognizes your valuable contributions to the company and reflects our commitment to maintaining fair, market-aligned compensation."

"Thank you for your hard work and continued commitment. Your dedication has not gone unnoticed, and as a reflection of your contributions, we’re pleased to acknowledge this with a salary increment. Your efforts truly make a difference, and we’re excited to move forward into a new month with fresh goals, continued teamwork, and shared success"

Sidenote: I think many HR departments could learn from the wording used.

Follow by the instructions to review this through the include QR code and to keep the message confidential.

Sidenote: Secrecy is a common technic used by attackers to increase the success rate. A review by a second pair of eyes would improve the chance to encounter a "Wait, this looks too good to be true" revelation.

The QR code was split into two images to hide it from content filters. They would need to stich the images correctly before they could detect the URL hidden in the QR code

The green bar stating that "E-mail was scanned by mail security and is believed to be clean." is also a nice psychological touch. What could possibly go wrong if the email was checked by security 😬

#Phishing

We recently see a wave of salary adjustment #Phishing

While they are not breathtakingly new and brilliant they use several different technics. Some of which exploited interesting aspect I'd like to share.

First, they used a tempting-sounding subject line like:

• Payment Docs
• Document Review Ѕаlаrу
• Salary Adjustment Notification

and (at least some) a very long Sender name or address, hiding the sender domain

Ich muss mal vor einer wohl neuen Phishing-Masche warnen: in Mails, die angeblich von ELSTER kommen, steht, es sei ein amtliches Dokument hinterlegt und müsse abgerufen werden (irgendwas mit Referenzakte). Wenn man auf den Link klickt, soll man seine ELSTER-Daten eintragen.

Die Mails sehen ziemlich echt aus.

Teilen wäre schön, damit mehr Personen gewarnt werden. #phishing #elster

Don’t let MFA lull you into complacency. Advanced phishing kits can still slip through.

Before the Thanksgiving holiday, one of our customers alerted us to an Evilginx MITM phishing campaign targeting university students and SSO portals. At least 18 American institutions were targeted.

We tested several approaches for large-scale detection, including analyzing web server fingerprints and HTTP artifacts. However, this proved challenging because Evilginx operates as a proxy between the victim’s browser and the legitimate login page, making its behavior and content nearly indistinguishable from the real site. In the end, we mostly relied on DNS for confirmation and classification.

Here is a short blog about the campaign and actor, including involved domains and IPs.

https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/

#InfobloxThreatIntel #dns #evilginx #threatintel #threatintelligence #infosec #cybersecurity #cybercrime #infoblox #phishing #mitm #aitm #sso #mfa #university #students #proxy #login

SMS phishers pivot to points, taxes, fake retailers

https://krebsonsecurity.com/2025/12/sms-phishers-pivot-to-points-taxes-fake-retailers/

#HackerNews #SMSphishing #taxfraud #cybersecurity #phishing #scams #fake #retailers

Es ist #ComputerSecurityDay! 🔒
Trotz High-Tech bleibt der Mensch oft das Einfallstor Nr. 1 für Cyberangriffe (Stichwort #Phishing).

Wie macht ihr euer Team fit?
1️⃣ Unser Projekt #M4SKI unterstützt euch dabei: https://t1p.de/q1wdb
2️⃣ Oder trefft unseren Experten Prof. Florian Adamsky ( @c1t ) persönlich zum Thema aktueller Security-Herausforderungen
📅 04.12.2025, Kronach
Infos & Anmeldung: https://t1p.de/82tjt

#dieforschendehochschulehof #hierwirdknallhartgeforscht #ITSicherheit #it

Oggi doppietta di finti avvisi dai “Carabinieri / Ministero della Giustizia” nella mia casella email.

Stesso copione: mi accusano di aver visto “contenuti illegali”, allegano un PDF e vogliono una risposta urgente a un indirizzo farlocco.

Giusto un ripasso su come riconoscere e schivare queste truffe 👇

1️⃣ Il mittente non torna

Dominio strano, tipo qualcosa@mailo.com o finta PEC come carabinieri-qualcosa-pec-it.com.

Le forze dell’ordine non usano Gmail/Yahoo/Mailo per convocarti.

2️⃣ Tono allarmistico + senso di colpa

Ti accusano di cose gravissime per farti andare nel panico.

Puntano a farti cliccare in fretta sull’allegato o a farti rispondere senza pensarci.

3️⃣ Allegati “urgenti” da aprire

PDF/DOC con “convocazione”, “citazione”, “verbale”.

Non aprire mai allegati da mittenti sospetti: dentro può esserci malware.

4️⃣ Canale sbagliato

Per cose serie (denunce, convocazioni, ecc.) arrivano PEC ufficiali, raccomandate o notifiche formali, non email a caso con un PDF in allegato e un indirizzo strano a cui scrivere.

Cosa fare in pratica?

Non rispondere, non cliccare, non aprire allegati.

Segna il messaggio come #spam / #phishing nel tuo client.

Se hai dubbi non usare i contatti nella mail: cerca tu i recapiti ufficiali (sito della Polizia Postale, Carabinieri, ecc.) e chiedi conferma.

Più queste cose le conosciamo, meno terreno lasciamo ai truffatori.
Se vi arrivano email del genere: respirate, non fate clic e cestino senza pietà. 🗑️💻

#truffe

Don’t let MFA lull you into complacency. Advanced phishing kits can still slip through.

Before the Thanksgiving holiday, one of our customers alerted us to an Evilginx MITM phishing campaign targeting university students and SSO portals. At least 18 American institutions were targeted.

We tested several approaches for large-scale detection, including analyzing web server fingerprints and HTTP artifacts. However, this proved challenging because Evilginx operates as a proxy between the victim’s browser and the legitimate login page, making its behavior and content nearly indistinguishable from the real site. In the end, we mostly relied on DNS for confirmation and classification.

Here is a short blog about the campaign and actor, including involved domains and IPs.

https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/

#InfobloxThreatIntel #dns #evilginx #threatintel #threatintelligence #infosec #cybersecurity #cybercrime #infoblox #phishing #mitm #aitm #sso #mfa #university #students #proxy #login

Es ist #ComputerSecurityDay! 🔒
Trotz High-Tech bleibt der Mensch oft das Einfallstor Nr. 1 für Cyberangriffe (Stichwort #Phishing).

Wie macht ihr euer Team fit?
1️⃣ Unser Projekt #M4SKI unterstützt euch dabei: https://t1p.de/q1wdb
2️⃣ Oder trefft unseren Experten Prof. Florian Adamsky ( @c1t ) persönlich zum Thema aktueller Security-Herausforderungen
📅 04.12.2025, Kronach
Infos & Anmeldung: https://t1p.de/82tjt

#dieforschendehochschulehof #hierwirdknallhartgeforscht #ITSicherheit #it

Ich muss mal vor einer wohl neuen Phishing-Masche warnen: in Mails, die angeblich von ELSTER kommen, steht, es sei ein amtliches Dokument hinterlegt und müsse abgerufen werden (irgendwas mit Referenzakte). Wenn man auf den Link klickt, soll man seine ELSTER-Daten eintragen.

Die Mails sehen ziemlich echt aus.

Teilen wäre schön, damit mehr Personen gewarnt werden. #phishing #elster

Oggi doppietta di finti avvisi dai “Carabinieri / Ministero della Giustizia” nella mia casella email.

Stesso copione: mi accusano di aver visto “contenuti illegali”, allegano un PDF e vogliono una risposta urgente a un indirizzo farlocco.

Giusto un ripasso su come riconoscere e schivare queste truffe 👇

1️⃣ Il mittente non torna

Dominio strano, tipo qualcosa@mailo.com o finta PEC come carabinieri-qualcosa-pec-it.com.

Le forze dell’ordine non usano Gmail/Yahoo/Mailo per convocarti.

2️⃣ Tono allarmistico + senso di colpa

Ti accusano di cose gravissime per farti andare nel panico.

Puntano a farti cliccare in fretta sull’allegato o a farti rispondere senza pensarci.

3️⃣ Allegati “urgenti” da aprire

PDF/DOC con “convocazione”, “citazione”, “verbale”.

Non aprire mai allegati da mittenti sospetti: dentro può esserci malware.

4️⃣ Canale sbagliato

Per cose serie (denunce, convocazioni, ecc.) arrivano PEC ufficiali, raccomandate o notifiche formali, non email a caso con un PDF in allegato e un indirizzo strano a cui scrivere.

Cosa fare in pratica?

Non rispondere, non cliccare, non aprire allegati.

Segna il messaggio come #spam / #phishing nel tuo client.

Se hai dubbi non usare i contatti nella mail: cerca tu i recapiti ufficiali (sito della Polizia Postale, Carabinieri, ecc.) e chiedi conferma.

Più queste cose le conosciamo, meno terreno lasciamo ai truffatori.
Se vi arrivano email del genere: respirate, non fate clic e cestino senza pietà. 🗑️💻

#truffe