Hacker News with Generative AI: Phishing

Malware Attack and Counterattack (antoineschmitt.com)
This is the story of a phishing, of a hacking, of what I learned, and how I counterattacked
Cybersecurity, Phishing, Hacking, Countermeasures
20 points by todsacerdoti 4 days ago | 4 comments
Exposing Darcula: behind the scenes of a global Phishing-as-a-Service operation (mnemonic.io)
Cybersecurity, Phishing, Malware, Dark Web, Research
11 points by karencarits 20 days ago | 3 comments
$6.7M stolen from city of Portland in phishing scheme (oregonlive.com)
A person posing as a city of Portland vendor persuaded a city employee to send them a link allowing them to redirect $6.7 million meant for a legitimate vendor to them, a lawsuit filed in New York this month says.
Cybersecurity, Phishing, Government, Lawsuit, Portland
14 points by rwc9 30 days ago | 1 comments
Recently I was targeted by an sophisticated (Google) phishing attack (threadreaderapp.com)
Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more. Here's the email I got:
Phishing, Google, Security, Vulnerability
5 points by mikexstudios 37 days ago | 1 comments
Sophisticated Phishing Attack Exploits Google's Infrastructure (twitter.com)
Something went wrong, but don’t fret — let’s give it another shot.
Cybersecurity, Google, Phishing
7 points by Meekro 37 days ago | 0 comments
China-Based SMS Phishing Triad Pivots to Banks (krebsonsecurity.com)
China-based purveyors of SMS phishing kits are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google.
Cybersecurity, Phishing, Mobile Payments, China
18 points by todsacerdoti 43 days ago | 0 comments
E-ZPass toll payment texts return in phishing wave (bleepingcomputer.com)
An ongoing phishing campaign impersonating E-ZPass and other toll agencies has surged recently, with recipients receiving multiple iMessage and SMS texts to steal personal and credit card information.
Phishing, Cybersecurity, E-ZPass, Toll Agencies, SMS/iMessage
6 points by WaitWaitWha 47 days ago | 0 comments
When Getting Phished Puts You in Mortal Danger (krebsonsecurity.com)
Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.
Cybersecurity, Phishing, Russia, War
22 points by todsacerdoti 57 days ago | 0 comments
Apple Passwords app was vulnerable to phishing attacks for 3 months after launch (9to5mac.com)
In iOS 18, Apple spun off its Keychain password management tool—previously only tucked away in Settings—into a standalone app called Passwords. It was the company’s first move at making credential management more convenient for users. It’s now been revealed that a serious HTTP bug left Passwords users vulnerable to phishing attacks for nearly three months, from the initial release of iOS 18 until the patch in iOS 18.2.
Security, Apple, Software, Mobile, Phishing
6 points by akyuu 65 days ago | 0 comments
Apple has revealed a Passwords app vulnerability that lasted for months (theverge.com)
Apple fixed a bug in the iOS 18.2 Passwords app that, for three months starting with the release of iOS 18, made users vulnerable to phishing attacks, according to an Apple security content update spotted by 9to5Mac.
Security, Apple, iOS, Bugs, Phishing
35 points by quyleanh 66 days ago | 6 comments
Ask HN: What's to prevent someone from spoofing a website? (ycombinator.com)
I just got an email from Backblaze about resetting my credentials, because they detected they were not secure enough. And I thought -- why can't the entire thing be done from a website with a very similar unicode character somewhere in there, such as a or the russian "B"?
Security, Websites, Phishing
5 points by EGreg 75 days ago | 8 comments
Russian phishing campaigns exploit Signal's device-linking feature (bleepingcomputer.com)
Russian threat actors have been launching phishing campaigns that exploit the legitimate “Linked Devices” feature in the Signal messaging app to gain unauthorized access to accounts of interest.
Cybersecurity, Phishing, Signal, Messaging Apps, Russia
7 points by todsacerdoti 93 days ago | 0 comments
FBI, Dutch police disrupt 'Manipulaters' phishing gang (krebsonsecurity.com)
The FBI and authorities in The Netherlands this week seized dozens of servers and domains for a hugely popular spam and malware dissemination service operating out of Pakistan.
Cybersecurity, Law Enforcement, Phishing, Malware
157 points by todsacerdoti 112 days ago | 62 comments
We got hit by an alarmingly well-prepared phish spammer (utoronto.ca)
Yesterday evening, we were hit by a run of phish spam that I would call 'vaguely customized' for us, for example the display name in the From: header was "U of T | CS Dept" (but then the actual email address was that of the compromised account elsewhere that was used to send the phish spam). The destination addresses here weren't particularly well chosen, and some of them didn't even exist. So far, so normal.
Cybersecurity, Phishing, Email Security
191 points by epakai 114 days ago | 127 comments
A phishing attack involving g.co, Google's URL shortener (github.com)
g.co, Google's official URL shortcut (update: or Google Workspace's domain verification, see bottom), is compromised. People are actively having their Google accounts stolen.
Cybersecurity, Phishing, Google, URL Shorteners
372 points by zachlatta 120 days ago | 158 comments
Chinese Innovations Spawn Wave of Toll Phishing via SMS (krebsonsecurity.com)
Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid.
Cybersecurity, Phishing, Toll Roads, China, SMS
22 points by LinuxBender 126 days ago | 2 comments
Chinese Innovations Spawn Wave of Toll Phishing via SMS (krebsonsecurity.com)
Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid.
Cybersecurity, Phishing, SMS, Toll Roads, China
4 points by todsacerdoti 127 days ago | 0 comments
A day in the life of a prolific voice phishing crew (krebsonsecurity.com)
Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. However, new details about the internal operations of a prolific voice phishing gang show the group routinely abuses legitimate services at Apple and Google to force a variety of outbound communications to their users, including emails, automated phone calls and system-level messages sent to all signed-in devices.
Cybersecurity, Phishing, Apple, Google, Voice Phishing
298 points by todsacerdoti 136 days ago | 113 comments
Human study on AI spear phishing campaigns (lesswrong.com)
TL;DR: We ran a human subject study on whether language models can successfully spear-phish people. We use AI agents built from GPT-4o and Claude 3.5 Sonnet to search the web for available information on a target and use this for highly personalized phishing messages. We achieved a click-through rate of above 50% for our AI-generated phishing emails.
Artificial Intelligence, Security, Phishing, Human Studies
205 points by DalasNoin 138 days ago | 112 comments
The Psychology of Phishing: Why Smart People Fall for Scams (techsplicer.com)
Do you know that feeling of dread when you realize you’ve clicked on a suspicious link? I know it perfectly.
Psychology, Security, Phishing, Scams
6 points by splicercy 139 days ago | 3 comments
Attacker Has Techdirt Reclassified as Phishing Site (techdirt.com)
Here on Techdirt, we write a lot about content moderation and even did a whole big series of content moderation case studies. However, here’s an interesting one that involves Techdirt itself from a couple weeks ago. It’s also a perfect example of Masnick’s Impossibility Theorem in action and a reminder of how the never-ending flood of spam and scams provides cover for bad actors to sneak through abusive reports.
Content Moderation, Online Security, Phishing, Case Studies, Spam
19 points by hn_acker 162 days ago | 3 comments
Phishers Love New TLDs Like .shop, .top and .xyz (krebsonsecurity.com)
Phishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs) — such as .shop, .top, .xyz — that attract scammers with rock-bottom prices and no meaningful registration requirements, new research finds. Meanwhile, the nonprofit entity that oversees the domain name industry is moving forward with plans to introduce a slew of new gTLDs.
Cybersecurity, Phishing, Domain Names, Internet Security
170 points by todsacerdoti 171 days ago | 209 comments
Windows infected with backdoored Linux VMs in new phishing attacks (bleepingcomputer.com)
A new phishing campaign dubbed 'CRON#TRAP' infects Windows with a Linux virtual machine that contains a built-in backdoor to give stealthy access to corporate networks.
Cybersecurity, Phishing, Linux, Virtual Machines, Backdoors
15 points by sandwichsphinx 200 days ago | 0 comments
Russian spies use remote desktop protocol files in unusual mass phishing drive (theregister.com)
Microsoft says a mass phishing campaign by Russia's foreign intelligence services (SVR) is now in its second week, and the spies are using a novel info-gathering technique.
Cybersecurity, Phishing, Russia, Foreign Intelligence, Microsoft
5 points by LinuxBender 204 days ago | 0 comments
Microsoft creates fake Azure tenants to pull phishers into honeypots (bleepingcomputer.com)
Microsoft is using deceptive tactics against phishing actors by spawning realistic-looking honeypot tenants with access to Azure and lure cybercriminals in to collect intelligence about them.
Cybersecurity, Microsoft, Phishing, Honeypots
6 points by mooreds 210 days ago | 0 comments
Microsoft creates fake Azure tenants to pull phishers into honeypots (bleepingcomputer.com)
Microsoft is using deceptive tactics against phishing actors by spawning realistic-looking honeypot tenants with access to Azure and lure cybercriminals in to collect intelligence about them.
Cybersecurity, Microsoft, Phishing, Honeypots
11 points by sandwichsphinx 216 days ago | 0 comments
DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (theregister.com)
The US Department of Justice and Microsoft have seized 107 websites used by Russian cyberspies in a phishing campaign to steal sensitive information from US government agencies, think tanks, and other victims.
Cybersecurity, Government, Russia, Phishing, Microsoft
4 points by LinuxBender 232 days ago | 0 comments
Windows PowerShell Phish Has Scary Potential (krebsonsecurity.com)
Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. While it’s unlikely that many programmers fell for this scam, it’s notable because less targeted versions of it are likely to be far more successful against the average Windows user.
Cybersecurity, Phishing, Malware, Windows, Programming
21 points by todsacerdoti 246 days ago | 13 comments
Using Security Engineering to Prevent Phishing – Doyensec (doyensec.com)
Recently Doyensec was hired by a client offering a “Communication Platform as a Service”. This platform allows their clients to craft a customer service experience and to communicate with their own customers via a plethora of channels: email, web chats, social media and more.
Security Engineering, Phishing, Customer Service, Communication Platforms
3 points by tony-ds 246 days ago | 1 comments
FBI recommends using an ad blocker (2022) (ic3.gov)
The FBI is warning the public that cyber criminals are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information.
Cybersecurity, Government Recommendations, Phishing, Malware
297 points by ysabri 257 days ago | 223 comments