This is a monthly newsletter I put together for an internal security awareness program. Feel Free to grab and use for your own program.
Retirees Targeted in High-Stakes Impersonation Scams
New data from the FTC reveals a troubling trend: fraudsters posing as government officials or big-name businesses are zeroing in on older adults, often convincing them to transfer large sums—sometimes their entire life savings.
Key Insights:
Reports from adults aged 60+ of losing $10,000 or more to impostor scams have quadrupled since 2020, while losses over $100,000 surged nearly sevenfold. Combined high-value reported losses grew eightfold, highlighting the severity of these attacks.
Scammers commonly use three core deceptive narratives:
Claiming suspicious activity in your accounts.
Asserting your personal information is linked to criminal activity.
Presenting urgent computer security alerts to induce panic-driven actions.
These fraudsters go as far as impersonating the FTC—asking victims to move money to “protect” it, deposit cash at Bitcoin ATMs, or hand over valuables via courier. These demands are absolutely inconsistent with legitimate agency practices.
Further Reading: FTC — Data Spotlight: False alarm, real scam: how scammers are stealing older adults’ life savings
Trickster Domain Uses Japanese Hiragana to Fool Users
A sophisticated phishing campaign is targeting Booking.com users by exploiting a visual trick: replacing the forward slash in URLs with the Japanese hiragana character "ん" (Unicode U+3093). At first glance, the phishing links look like legitimate subdirectories, but they actually redirect users to fake domains. Once clicked, these sites deliver malware—typically via a malicious MSI installer—that could include information stealers or remote access trojans.
Key Insights:
The character substitution makes fake URLs appear authentic, even to vigilant users.
Attackers distribute these links through phishing emails, often appearing urgent or official.
The camouflage technique effectively bypasses visual scrutiny and basic email filters.
Further Reading: New Clever Phishing Attack Uses Japanese Character "ん" to Mimic Forward Slash
Mobile Phishing Targets Brokerage Accounts in 'Ramp and Dump' Scheme
Cybercriminal groups are exploiting mobile phishing kits to manipulate foreign stock prices through compromised brokerage accounts. This tactic, known as a "ramp and dump" scheme, involves fraudsters using multiple hijacked accounts to artificially inflate stock prices and then sell off shares, leaving legitimate investors with significant losses. These phishing kits, often sold in Chinese-language communities on platforms like Telegram, convert stolen card data into mobile wallets, facilitating fraudulent transactions. The Financial Industry Regulatory Authority (FINRA) has issued advisories highlighting the risks associated with such schemes.
Key Insights
Fraudsters manipulate stock prices by controlling multiple compromised brokerage accounts.
Mobile phishing kits are sold on platforms like Telegram, targeting financial institutions.
The schemes exploit vulnerabilities in multi-factor authentication processes.
Victims are left with worthless shares, resulting in financial losses.
Further Reading: Krebs on Security
Back-to-School Shopping Scams Surge
As back-to-school shopping ramps up in July and August, scammers are taking advantage with fake storefronts, counterfeit goods, and misleading social media ads designed to trick shoppers into paying for items that never arrive or are of poor quality.
Key Insights
Scammers exploit seasonal spending by promoting deals on supplies like backpacks, laptops, and notebooks.
Fake online stores are promoted through paid search links, email blasts, and targeted social media ads.
Social media ads are particularly risky due to precise targeting and AI-generated ad creatives that lead to scam sites.
Further Reading: McAfee
ClickFix Phishing Links Surge Nearly 400% in Past Year
A recent Proofpoint report revealed a dramatic rise in phishing activity: ClickFix-style attacks—where users are tricked into entering malicious commands under the pretense of fixing an error or completing a CAPTCHA—have surged nearly 400% between May 2024 and May 2025. Meanwhile, malicious URLs now outpace traditional email attachments by a factor of four, underscoring the evolving threat landscape and the growing sophistication of phishing tactics.
Key Insights
ClickFix campaigns have become significantly more prevalent, with a 400% year-over-year increase.
Analysis covered a massive dataset, including over 3.4 trillion emails, 21 trillion URLs, and 1.4 trillion SMS messages.
Users are increasingly encountering phishing via deceptive links rather than attachments—making detection tougher.
The human-centric design of ClickFix techniques makes them highly effective at bypassing conventional email filters.
Further Reading: SC Media – ClickFix phishing links increased nearly 400% in 12 months, report says
Workday CRM Breach Exposes Contact Data
Workday, a major provider of HR technology, disclosed a data breach in which threat actors gained access to a third-party CRM platform through a social engineering campaign. While no customer tenant data was compromised, exposed information—such as names, email addresses, and phone numbers—poses a heightened risk of follow-on phishing attacks or impersonation attempts. The breach was detected on August 6, and Workday has since severed access and strengthened security controls.
Key Insights
The breach exploited a third-party CRM via social engineering techniques such as deceptive calls and texts impersonating HR or IT staff.
Exposed data was limited to business contact information—not internal customer data—but remains useful for phishing campaigns.
This incident aligns with a broader wave of CRM-based attacks targeting organizations via cloud CRM systems.
Reminding users that Workday will never request credentials via phone can help counter social engineering attempts.
Further Reading: Bleeping Computer – HR giant Workday discloses data breach after Salesforce attacks
“SpyVPN” Chrome Extension Secretly Captures Your Screen
A seemingly safe VPN browser extension—marketed as FreeVPN.One and featured on the Chrome Web Store with over 100,000 installs—has been revealed to continuously capture screenshots of every webpage a user visits. These images—including sensitive content like bank accounts, private photos, and documents—are sent silently to a remote server without any disclosure or consent, highlighting a shocking inversion of the privacy expectations typically associated with VPN tools.
Key Insights
Stealthy surveillance disguised as a VPN: Seconds after a page loads, a hidden background process takes a screenshot and exfiltrates it, bundling the capture with metadata like URL and tab ID.
Broad access and tracking: The extension also harvests device information and geolocation data upon installation and startup.
Encrypted exfiltration: To evade detection, later versions implemented AES-256-GCM encryption with RSA wrapping—making the data leaks harder to trace.
Excessive permissions abused: What should have been a simple VPN extension intentionally requested wide-ranging permissions, enabling full visibility into user browsing activity.
False trust via validation badges: Despite appearing legitimate—with Google verification and featured placement—the extension’s violations slipped past marketplace checks, underlining gaps in app vetting processes.
Further Reading: Koi Security
AI Website Builder “Lovable” Abused by Cybercriminals for Phishing & Malware
Proofpoint research warns that adversaries are exploiting Lovable, an AI-powered website builder, to rapidly create phishing and malicious websites using natural-language prompts. Since February 2025, Proofpoint has detected tens of thousands of malicious Lovable-hosted URLs, involving MFA phishing kits, crypto wallet drainers, credential harvesting traps, and other fraud schemes. Campaigns have infiltrated over 5,000 organizations and included impersonation of brands like Microsoft, UPS, and Aave. The platform’s free hosting and AI-driven convenience enable attackers to launch effective social engineering attacks with minimal effort.
Key Insights
Low-barrier phishing infrastructure: Creating convincing phishing sites now takes just one or two prompts—no coding required.
Massive campaign scale: Hundreds of thousands of URLs circulated via emails, targeting organizations across industries.
Diverse tactics: Campaigns include fake CAPTCHAs leading to credential theft, malware disguised as secure downloads, and crypto-stealing mechanisms.
Brand spoofing: Attackers mimicked trusted entities like Microsoft, UPS, banks, and DeFi platforms to increase credibility.
Emerging security gap: AI-based website tools lack built-in safeguards, making them ripe for abuse by malicious actors.
Further Reading: Proofpoint
ClickFix Social-Engineering Attack: “Think Before You Click(Fix)”
Microsoft Threat Intelligence and Defender experts are sounding the alarm over the growing prevalence of the ClickFix technique—a manipulative form of social engineering that tricks users into executing malicious commands under the guise of fixing technical issues or completing human-verification prompts. Since early 2024, thousands of enterprise and consumer devices across various industries have been targeted, frequently delivering infostealing malware like Lumma Stealer, remote access tools (e.g., Xworm, NetSupport), and loaders such as Latrodectus. The technique often leverages phishing, malvertising, and compromised sites to lure users into copying commands manually into Run dialogs, PowerShell, or Terminal, effectively bypassing many automated security solutions. Attackers are also advancing their methods with obfuscation and staged payload delivery to evade detection. Microsoft underscores the importance of user education and endpoint hardening to counteract this social-engineering vector. Microsoft
Key Insights
Human-driven threat: Relies on social engineering, persuading users to run malicious commands themselves—circumventing standard security controls.
Wide-ranging payloads: Includes infostealers, remote access Trojans, and loaders, delivering significant post-compromise capabilities.
Multi-vector distribution: Spread via phishing emails, deceptive ads, and compromised sites impersonating legitimate brands.
Evasive operator tactics: Employs obfuscated JavaScript and command delivery to evade detection.
Strategic defenses: Focus on user awareness training and endpoint constraint measures (e.g., logging, Run dialog restrictions).
Further Reading: Microsoft Security Blog – “Think before you Click(Fix): Analyzing the ClickFix Social Engineering Technique”
Password Managers Vulnerable to DOM-Based Extension Clickjacking
A groundbreaking new attack technique—dubbed “DOM-based Extension Clickjacking”—was revealed by security researcher Marek Tóth (presented at DEF CON 33). The method exploits how browser extensions inject UI elements into web pages. By invisibly overlaying or manipulating these extension interfaces, an attacker can trick a user’s single click into triggering autofill of highly sensitive data—such as credentials, one-time passwords (TOTP), credit card details, and personal information—without the user realizing it. This impacts popular password managers and potentially other DOM-manipulating extensions.
Key Insights
Single-click compromise: Users are tricked by innocuous-looking clicks (e.g., closing a popup), which instead activate hidden autofill forms and expose sensitive data.
Widespread risk: All 11 tested password managers—including Bitwarden, 1Password, iCloud Passwords, Enpass, LastPass, and LogMeOnce—were initially vulnerable. Millions of users may be affected.
Diverse data at stake: Attacks can steal login credentials, TOTP codes, passkeys, credit card information, and personal data.
Some vendors still unpatched: While fixes are in progress for certain apps, several remain vulnerable.
Mitigation suggestions: Users should disable autofill or switch to manual copy-paste workflows. Chrome users can set extension permissions to “on click” to reduce exposure.
Further Reading: Marek Tóth – DOM-based Extension Clickjacking: Your Password Manager Data at Risk
MuddyWater APT Targets CFOs via Multi-Stage Phishing Campaign
A sophisticated spear-phishing campaign by the Iranian-linked APT group MuddyWater is actively targeting Chief Financial Officers (CFOs) and finance executives across multiple continents. The campaign leverages legitimate remote-access tools, such as NetBird, to maintain persistent control over compromised systems. Attackers masquerade as Rothschild & Co recruiters, directing victims to Firebase-hosted phishing pages with custom CAPTCHA challenges and malicious VBS scripts. These scripts deploy remote management capabilities, including NetBird and OpenSSH, create hidden local administrator accounts, enable Remote Desktop Protocol (RDP), and automate persistence through scheduled tasks. The infrastructure has evolved over time, with shifts in hosting paths and IP addresses, indicating an adaptive and persistent threat. This campaign showcases the increasing sophistication of threat actors in targeting high-value individuals within organizations.hunt.io+1
Key Insights
Targeted Individuals: CFOs and finance executives across Europe, North America, South America, Africa, and Asia.
Initial Access: Spear-phishing emails impersonating Rothschild & Co recruiters leading to Firebase-hosted phishing pages.
Payload Delivery: Multi-stage infection using VBS downloaders, ZIP archives, and secondary payloads.
Persistence Mechanisms: Deployment of NetBird and OpenSSH, creation of hidden local admin accounts, enabling RDP, and scheduled task automation.
Infrastructure Evolution: Shifts in hosting paths and IP addresses, indicating adaptive tactics.
Attribution: Overlaps in infrastructure, TTPs, and tools with known APT MuddyWater campaigns.
Legitimate Tool Abuse: Misuse of NetBird and OpenSSH for remote access and monitoring.hunt.io
Further Reading: Hunt.io – APT MuddyWater Deploys Multi-Stage Phishing to Target CFOs
Surge in 'Task Scams' Targeting Job Seekers
Trend Micro has reported a significant increase in "task scams," a fraudulent scheme where scammers pose as legitimate recruiters offering online tasks in exchange for payment. Victims are lured through platforms like WhatsApp, SMS, and Telegram, often impersonating well-known staffing firms or marketing agencies. Initially, individuals are asked to complete simple online activities, such as liking social media posts or providing product reviews. Over time, these tasks escalate, requiring larger financial deposits for higher-paying assignments, ultimately leading to substantial financial losses.
Key Insights
Financial Impact: One identified cryptocurrency wallet received over $1.2 million in transactions linked to task scam activities.
Psychological Manipulation: Scammers employ gamification techniques, such as VIP levels and reward streaks, to keep victims engaged and invested.
Delayed Realization: A global study found that 39% of victims only recognized they had been scammed after significant financial loss.
Cryptocurrency Usage: Scammers utilize cryptocurrency for transactions, making it challenging to trace and recover funds.
Defensive Tools: Trend Micro’s ScamCheck with Scam Radar helps users identify scam tactics in real time by analyzing content such as images, text, and URLs.
Further Reading: Trend Micro – Unmasking Task Scams
Attackers Exploit Google Classroom for Large-Scale Campaign
Researchers identified a phishing campaign abusing Google Classroom to bypass email security and deliver malicious messages. Over 115,000 phishing emails targeted 13,500 organizations across multiple industries, with attackers leveraging legitimate Google Classroom notifications to appear trustworthy.
Key Insights
More than 100,000 phishing emails were delivered via Google Classroom.
Attackers exploited the platform’s trusted reputation to avoid detection.
13,500 organizations across different industries were impacted.
The campaign highlights how threat actors misuse legitimate collaboration tools for phishing.
Further Reading: Check Point
Gmail Accounts Targeted in Phishing Wave After Google Data Leak
A recent data leak affecting Google has led to a surge in phishing attacks targeting Gmail users. Threat actors are using compromised information to craft convincing phishing emails designed to steal account credentials. The campaign highlights how quickly attackers weaponize leaked data against large user bases.
Key Insights
Google data leak triggered a large-scale phishing campaign.
Attackers are tailoring emails to increase success rates.
Gmail users are at heightened risk of credential theft.
Further Reading: Dig Watch
Retail & Hospitality Industries Targeted by Digital Heists
Palo Alto Networks’ Unit 42 reports that cybercriminals are increasingly targeting retail and hospitality sectors through credential theft, payment card fraud, and loyalty program abuse. Attackers are leveraging phishing, malware, and third-party compromise to infiltrate these industries, with stolen credentials being a primary entry point.
Key Insights
Retail and hospitality are frequent targets due to high transaction volumes and valuable customer data.
Credential theft remains a top tactic, enabling lateral movement and further fraud.
Loyalty programs and stored payment methods are prime targets for monetization.
Further Reading: Palo Alto Networks – Unit 42
FIFA World Cup 2026 Sparks Surge in Scam Domain Registrations
Cybersecurity researchers report a sharp increase in suspicious domain registrations tied to the upcoming FIFA World Cup 2026. PreCrime Labs analyzed nearly 500 domains embedding terms like “FIFA,” “worldcup,” and “football.” These domains have been categorized into typosquats, fake merchandise or betting sites, ticketing bait, and deceptive fan portals. The campaign demonstrates sophisticated tactics including early domain aging and AI-assisted bulk creation.
Key Insights
Domain Aging Strategy: Domains registered well in advance—some even for 2030 and 2034 tournaments—to appear legitimate and evade filters.
Global Scope & AI Usage: Registrations originated from various regions, including the U.S., China, Iceland, Canada, and the Netherlands. Certain batches showed algorithmic naming patterns, suggesting automated registration.
TLD & Fraud Lures: Majority (.com) dominated, followed by .online, .football, .org, .xyz, and .shop. Sites feigned merchandise stores, live streaming, betting platforms, travel services, and even crypto “FIFA Coin” ICOs.
Pre-event Scam Infrastructure: Illustrates how major events attract layered cyber threat campaigns—from phishing and fake ticket portals to credential harvesting and financial fraud.
Further Reading: Cybernews – Criminals Preparing for Scam Bonanza Ahead of FIFA World Cup 2026
Malvertising Campaign on Meta and Android Distributes Advanced Crypto-Stealing Malware
A new malvertising campaign, revealed by Bitdefender Labs, is exploiting Meta’s advertising platform to push deceptive ads that redirect users to malware-laden downloads. These ads impersonate trusted applications—such as CapCut, Office 365, Netflix, and others—and deliver SYS01 InfoStealer, a stealthy tool embedded within an Electron-based application, primarily aimed at harvesting Facebook credentials and enabling further cyberattacks.
Key Insights
Seamless guise of legitimacy: Ads mimic trusted brands and platforms to appear harmless, effectively bypassing user suspicion.
Electron-based malware: The malicious payload is delivered via a misleading app installer, enabling robust evasion through local execution.
Global reach and dynamic adaptability: Campaign targets users worldwide, especially those over 45, using nearly 100 domains and constantly shuffling payloads to avoid detection.
Persistent botnet infrastructure: Stolen credentials are reused to run legitimate-looking malicious advertisements, maintaining the campaign’s reach without rebuilding infrastructure.
Further Reading: Bitdefender – Malvertising Campaign on Meta Expands to Android, Pushing Advanced Crypto-Stealing Malware to Users Worldwide
Analysing Targeted Spearphishing: C-Suite
A spearphishing campaign has been discovered, targeting C-suite executives and senior leadership across various industries. The attack uses highly personalized phishing emails that mimic internal HR communications, paired with advanced anti-detection measures and infrastructure rotation to evade defenses.
Key Insights
High-value targeting: Email subjects like “Salary amendment” and “FIN_SALARY” impersonate OneDrive document notifications to trick executives. Emails and phishing pages are customized with recipient names and company details.
Credential theft mechanism: Victims are directed to fake Microsoft Office/OneDrive login pages that harvest credentials. Phishing URLs are single-use and self-destruct upon access.
Stealthy email delivery: The campaign uses Amazon SES for sending, toggling across approximately 80 dynamic domains and subdomains to evade filtering. Preliminary benign emails (“warming up” inboxes) may precede the phishing attempt.
Robust infrastructure footprint: DNS via Cloudflare, hosting on Akamai Cloud, and domain registration mainly through Mat Bao Corporation, with additional registrars like WebNic.cc and Luxhost used for resilience.
Further Reading: Stripe OLT – Analysing Targeted Spearphishing: Social Engineering, Domain Rotation, and Credential Theft
DSLRoot Proxies = “Legal Botnets”? A New and Hidden Risk
A recent investigation has pulled back the curtain on DSLRoot—a residential proxy service that legally distributes traffic through users’ home Internet connections. Paying U.S. participants up to $250/month to host devices, DSLRoot aggregates and sells these IPs as dedicated proxies. Although the setup may seem benign, experts warn this infrastructure is ripe for abuse—enabling anonymized cyber activities under the guise of legitimacy.
Key Insights
Monetizing Your Bandwidth: Users—sometimes unknowingly—host DSLRoot’s systems at home and get paid for relaying traffic, which can be used for anything from anonymizing browsing to launching malicious operations.
Origins Rooted in Proxy Marketplaces: DSLRoot traces back to Russian-linked proxy networks and underground forums.
Not Your Typical Botnet: Because devices are used with owner consent and no malware is involved, traditional detection systems may not flag this activity—thus creating the concept of a “legal botnet.”
Network Device Risks: DSLRoot’s software may manipulate home routers—enumerating Wi-Fi networks and exploiting hardcoded credentials—broadening the attack footprint.
Broader Implications: Residential proxies are increasingly tied to scraping, DDoS, credential stuffing, and evasion of IP blocking, making them a growing security challenge.
Further Reading: KrebsOnSecurity – “DSLRoot, Proxies, and the Threat of ‘Legal Botnets’”
