PSA [Canada/British Columbia] phishing alert - see screenshot

Whenever/however you are contacted, especially where internet or cellular technology is used, ignore all links etc.

If you receive an email, open (yourself!) a new browser tab & independently navigate to the intended link.

ALERT: Banking Apps Under Attack: Credentials Hijacked via Telegram
A #malware dropper delivers a stealer disguised as the IndusInd Bank app. It embeds a phishing website inside the Android app to steal victims’ financial data, posing a threat to mobile banking users and financial institutions.

Analysis: https://app.any.run/tasks/fe800ccb-fccc-42a6-a11d-a3d2b6e89edf/?utm_source=mastodon&utm_medium=post&utm_campaign=android_banking_app&utm_term=200325&utm_content=linktoservice

The malware tricks users into entering their sensitive information (registered mobile number, Aadhaar number, PAN card, net banking user ID, etc.) through a fake banking interface embedded in the app.

Once submitted, the stolen data is sent to both the #phishing site and a C2 server controlled via Telegram.

The AndroidManifest.xml shows that the dropper APK has permissions to install applications. The #dropper contains base.apk, the malicious #payload, and is responsible for dropping and executing it.

Our new #Android sandbox allows #SOC teams reveal base.apk behavior: communication via Telegram, starting from another location, monitoring incoming messages, and more. Fast access to threat details enables deep analysis and proactive response, mitigating potential damage.

The APK is obfuscated, with all strings #XOR-encrypted with the ‘npmanager’ key. The CyberChef recipe below reveals the script that sends intercepted data to Telegram: https://gchq.github.io/CyberChef/#recipe=From_Hex%28%27Auto%27%29XOR%28%7B%27option%27%3A%27UTF8%27%2C%27string%27%3A%27npmanager%27%7D%2C%27Standard%27%2Cfalse%29%26oeol%3DNEL

#IOCs:
#Phish URL: hxxps://t15[.]muletipushpa[.]cloud/page/
C2 Server (Telegram Bot): hxxps://api[.]telegram[.]org/bot7931012454:AAGdsBp3w5fSE9PxdrwNUopr3SU86mFQieE

More IOCs and insights will be shared in our blog post. Let us know if you're interested!

Expose Android threats in seconds with real-time APK analysis in #ANYRUN Sandbox: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=android_banking_app&utm_term=200325&utm_content=linktoregistration#register/

Phishing-as-a-service is an area that is increasing rapidly according to research by security vendor Barracuda Networks, which says it has detected a “massive spike” in PhaaS attacks in the first two months of this year.

https://www.computing.co.uk/news/2025/security/massive-spike-in-phishing-as-a-service-attacks-in-2025-research

For folks that track this sort of thing, my org is receiving phishing text messages from the number +1 484-336-5647. All were reported but unsure if/when this number will get deactivated by the carrier.

Phishing Campaign targets OAuth Redirection in Microsoft 365

Pulse ID: 67da8f3e6de7387ac04c667c
Pulse Link: https://otx.alienvault.com/pulse/67da8f3e6de7387ac04c667c
Pulse Author: cryptocti
Created: 2025-03-19 09:32:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Watch out for #phishing emails. My client's #HR manager just received an email purportedly from me asking her to change my bank account details.
Fortunately I'm a contractor so "Payroll" was a bit off as a title, and she checked with me in person.

I'm assuming they made the connection between me and them by scraping #LinkedIn. Another reason to drop it.

I fell for a really sophisticated #phishing email on Saturday. I broke my own #infosec rule:

*** NEVER clicking on ANYTHING in an email, no matter how convincingly real the email may seem. ***

I say this phish was sophisticated because it was very personalized and required very timely use of coordinated personal info from multiple sources, at least one of which I know was hacked. The email also self-deleted after I clicked the link. Gone.

Luckily the bank caught the first suspicious transaction (within a few minutes) and blocked it. They notified me and I called them. The fraud department wanted to keep the account open, presumably to see if there would be another attempt. Sure enough, a few hours later it happened again. My guess is that they let the second one go through so they could track it. Now the credit card is closed and I have to contact the merchants who charge me regularly. What a hassle.

Who is sending those scammy text messages about unpaid tolls?

They want your payment information. And your personal information. #Phishing kits for this particular campaign originate from China.

#cybersecurity #security #scams

https://cyberscoop.com/toll-road-text-message-scam-swells-nationwide-how-to-stop/

Who is sending those scammy text messages about unpaid tolls?

The latest smishing scam follows a familiar process as ones the industry has seen over the past decade.

https://cyberscoop.com/toll-road-text-message-scam-swells-nationwide-how-to-stop/

Via #LLRX - @psuPete Recommends – Weekly highlights on cyber security issues, March 15, 2025: Four highlight's from this week's column - The 200+ Sites an #ICE #Surveillance Contractor is Monitoring; US cities warn of wave of unpaid parking #phishing texts; #OPM watchdog to investigate #IT risks tied to #DOGE agency access; and A Brand-New Botnet Is Delivering Record-Size #DDoS Attacks. #cybercrime #cyber #security #privacy https://www.llrx.com/2025/03/pete-recommends-weekly-highlights-on-cyber-security-issues-march-15-2025/

A widespread #phishing campaign has targeted nearly 12,000 #GitHub repositories with
fake "Security Alert" issues,
tricking developers into authorizing a malicious OAuth app that grants attackers full control over their accounts and code.

"Security Alert: Unusual Access Attempt We have detected a login attempt on your GitHub account that appears to be from a new location or device," -- reads the GitHub phishing issue.
All of the GitHub phishing issues contain the same text, warning users that there was unusual activity on their account from Reykjavik, Iceland, and the 53.253.117.8 IP address.

https://www.bleepingcomputer.com/news/security/fake-security-alert-issues-on-github-use-oauth-app-to-hijack-accounts/

#Coinbase #phishing #email tricks users with fake wallet migration

https://www.bleepingcomputer.com/news/security/coinbase-phishing-email-tricks-users-with-fake-wallet-migration/

AP: Don’t click on those road toll texts. Officials issue warnings about the smishing scam https://apnews.com/article/outstanding-toll-scams-smishing-phishing-fbi-c2948f44b810d5160b60738b95486ae9 @AssociatedPress #cybersecurity #infosec #phishing

Interisle posts quarterly phishing, spam, and malware activity reports at the Cybercrime Information Center (https://cybercrimeinfocenter.org/phishing-activity).

Monthly activity briefs for these cybercrimes will now be shared via Interisle.substack.com.

Cybercrime Report: January 2025
https://interisle.substack.com/p/cybercrime-report-january-2025

@deepthoughts10 @cR0w I upped my geoshitties list of free and abused web hosting. Some are easily blocked while others are better for warnings (gitbook[.]io)

https://github.com/BadSamuraiDev/bs-lists/blob/main/geoshitties.txt

Looks like there is some good human manipulation, er, "social engineering" lately using a pretext of looking for security work and sending links through weird domains that redirect to calendly links for what I assume is an opportunity to continue the con. For now, I would BOLO URIs with ?redirectTo=https://calendly.com/* in the parameters. I can't say they're necessarily malicious, but I would certainly scrutinize them and the domain you see them redirected from, especially if the original subdomain is t or trk.

Noticing many emails into the junk folder that I'd normally report and block that can no longer be reported or blocked, only deleted.

Anyone else seeing that?

Pas op mensen, #DigiD #oplichting per brief. #phishing

Via deorkaan.nl

https://www.deorkaan.nl/opgepast-digid-oplichting-per-brief/