shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.

Administered by:

Server stats:

276
active users

#phishing

14 posts14 participants1 post today

PSA [Canada/British Columbia] phishing alert - see screenshot

Whenever/however you are contacted, especially where internet or cellular technology is used, ignore all links etc.

If you receive an email, open (yourself!) a new browser tab & independently navigate to the intended link. 🙏

🚨 ALERT: Banking Apps Under Attack: Credentials Hijacked via Telegram
⚠️ A #malware dropper delivers a stealer disguised as the IndusInd Bank app. It embeds a phishing website inside the Android app to steal victims’ financial data, posing a threat to mobile banking users and financial institutions.

🔍 Analysis: app.any.run/tasks/fe800ccb-fcc

The malware tricks users into entering their sensitive information (registered mobile number, Aadhaar number, PAN card, net banking user ID, etc.) through a fake banking interface embedded in the app.

📥 Once submitted, the stolen data is sent to both the #phishing site and a C2 server controlled via Telegram.

The AndroidManifest.xml shows that the dropper APK has permissions to install applications. The #dropper contains base.apk, the malicious #payload, and is responsible for dropping and executing it.

👨‍💻 Our new #Android sandbox allows #SOC teams reveal base.apk behavior: communication via Telegram, starting from another location, monitoring incoming messages, and more. Fast access to threat details enables deep analysis and proactive response, mitigating potential damage.

The APK is obfuscated, with all strings #XOR-encrypted with the ‘npmanager’ key. The CyberChef recipe below reveals the script that sends intercepted data to Telegram: gchq.github.io/CyberChef/#reci

#IOCs:
#Phish URL: hxxps://t15[.]muletipushpa[.]cloud/page/
C2 Server (Telegram Bot): hxxps://api[.]telegram[.]org/bot7931012454:AAGdsBp3w5fSE9PxdrwNUopr3SU86mFQieE

More IOCs and insights will be shared in our blog post. Let us know if you're interested! 💬

🚀 Expose Android threats in seconds with real-time APK analysis in #ANYRUN Sandbox: app.any.run/?utm_source=mastod

Phishing Campaign targets OAuth Redirection in Microsoft 365

Pulse ID: 67da8f3e6de7387ac04c667c
Pulse Link: otx.alienvault.com/pulse/67da8
Pulse Author: cryptocti
Created: 2025-03-19 09:32:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

Watch out for #phishing emails. My client's #HR manager just received an email purportedly from me asking her to change my bank account details.
Fortunately I'm a contractor so "Payroll" was a bit off as a title, and she checked with me in person.

I'm assuming they made the connection between me and them by scraping #LinkedIn. Another reason to drop it.

I fell for a really sophisticated #phishing email on Saturday. I broke my own #infosec rule:

*** NEVER clicking on ANYTHING in an email, no matter how convincingly real the email may seem. ***

I say this phish was sophisticated because it was very personalized and required very timely use of coordinated personal info from multiple sources, at least one of which I know was hacked. The email also self-deleted after I clicked the link. Gone.

Luckily the bank caught the first suspicious transaction (within a few minutes) and blocked it. They notified me and I called them. The fraud department wanted to keep the account open, presumably to see if there would be another attempt. Sure enough, a few hours later it happened again. My guess is that they let the second one go through so they could track it. Now the credit card is closed and I have to contact the merchants who charge me regularly. What a hassle.

Via #LLRX - @psuPete Recommends – Weekly highlights on cyber security issues, March 15, 2025: Four highlight's from this week's column - The 200+ Sites an #ICE #Surveillance Contractor is Monitoring; US cities warn of wave of unpaid parking #phishing texts; #OPM watchdog to investigate #IT risks tied to #DOGE agency access; and A Brand-New Botnet Is Delivering Record-Size #DDoS Attacks. #cybercrime #cyber #security #privacy llrx.com/2025/03/pete-recommen

www.llrx.comPete Recommends – Weekly highlights on cyber security issues, March 15, 2025 – LLRX

A widespread #phishing campaign has targeted nearly 12,000 #GitHub repositories with
🔥fake "Security Alert" issues,
tricking developers into authorizing a malicious OAuth app that grants attackers full control over their accounts and code.

"Security Alert: Unusual Access Attempt We have detected a login attempt on your GitHub account that appears to be from a new location or device," -- reads the GitHub phishing issue.
All of the GitHub phishing issues contain the same text, warning users that there was unusual activity on their account from Reykjavik, Iceland, and the 53.253.117.8 IP address.

bleepingcomputer.com/news/secu

BleepingComputerFake "Security Alert" issues on GitHub use OAuth app to hijack accountsA widespread phishing campaign has targeted nearly 12,000 GitHub repositories with fake "Security Alert" issues, tricking developers into authorizing a malicious OAuth app that grants attackers full control over their accounts and code.

Looks like there is some good human manipulation, er, "social engineering" lately using a pretext of looking for security work and sending links through weird domains that redirect to calendly links for what I assume is an opportunity to continue the con. For now, I would BOLO URIs with ?redirectTo=https://calendly.com/* in the parameters. I can't say they're necessarily malicious, but I would certainly scrutinize them and the domain you see them redirected from, especially if the original subdomain is t or trk.