Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing
In embracing device code phishing, attackers trick victims into handing over account access by using a service's legitimate new-device login flow.
Yasna brings together recent headlines from selected sources and makes them easier to sort with tags, filters, and search.
Search across headline titles and summaries.
Weekly headline count for the current query.
In embracing device code phishing, attackers trick victims into handing over account access by using a service's legitimate new-device login flow.
The phishing-as-a-service platform was popular among cyber threat actors because of its ability to bypass multifactor authentication defenses.
A user-friendly PhaaS tool beats standard methods for detecting phishing attacks by live-proxying legitimate login sites.
Researchers discovered a novel phishing attack that serves the victim a QR code as part of supposed multifactor authentication (MFA), in order to get around FIDO-based protections.
Hackers are exploiting trusted authentication flows — like Microsoft Teams and IoT logins — to trick users into handing over access tokens, bypassing MFA and slipping undetected into corporate networks.
Use SSO, don't use SSO. Have MFA, don't have MFA. An analysis of a snapshot of organizations using Push Security's platform finds that 99% of accounts susceptible to phishing attacks.
The gang already uses varied tools in its attacks, such as phishing, SIM swapping, and MFA fatigue.
Threat actors are widely adopting the fast-growing, low-cost phishing-as-a-service (PhaaS) platform, which is sold via Telegram.
Axiad's State of Authentication Survey also found nearly half of respondents think phishing is the most likely cyberattack, yet only 27% plan to use phishing-resistant MFA next year.
Attackers sent more than 1,000 emails with 2FA, MFA, and other security-related lures aimed at stealing Microsoft credentials.
A campaign sent 120,000 phishing emails in three months, circumventing MFA to compromise cloud accounts of high-level executives at global organizations
A tailored spear-phishing attack successfully convinced a Reddit employee to hand over their credentials and their one-time password, but soon after, the same worker notified security.
Extending multifactor authentication to include device identity assurance offers more authentication confidence than what multiple user-identity factors can by themselves.
Nok Nok’s S3 Suite brings next-level MFA to UberEther’s IAM Advantage Platform to protect the US federal government and its suppliers.
Microsoft added certificate-based authentication (CBA) to the Azure Active Directory to help organizations enable phishing-resistant MFA that complies with US federal requirements. The change paves the way for enterprises to migrate their Active Directory implementations to the cloud.
The phishing-as-a-service offering targets accounts from tech giants, and also has connections to PyPI phishing and the Twilio supply chain attack.
The massive phishing campaign does not exploit a vulnerability in MFA. Instead, it spoofs an Office 365 authentication page to steal credentials.