Social Engineering Scams Exploiting Mobile Device Features to Steal Credentials and Funds
Cybercriminals are increasingly leveraging built-in features of popular mobile platforms to execute sophisticated social engineering scams aimed at stealing sensitive credentials and financial assets. On WhatsApp, scammers exploit the screen-sharing function by impersonating trusted entities such as bank employees or support agents, coercing victims into sharing their screens under the pretense of resolving urgent security issues. This access enables attackers to view and capture one-time passwords (OTPs), banking details, and other personal information, resulting in significant financial losses. In response, Meta has introduced AI-powered safety tools, including real-time warnings when users attempt to share their screens with unknown contacts, to mitigate these attacks.
Similarly, iPhone users are being targeted through phishing campaigns that exploit the "Find My" feature. After a device is lost or stolen, scammers send convincing fake messages—purportedly from Apple Support—containing links that claim to help locate the missing phone. By leveraging accurate device details and the victim's sense of urgency, attackers trick users into divulging their Apple ID credentials, potentially granting full access to personal data and accounts. Authorities such as Switzerland’s National Cyber Security Centre have issued warnings about these tactics, emphasizing the need for heightened vigilance when responding to unsolicited messages related to lost devices.
Sources
Related Stories
Phishing and Fraud via Fake Banking and Device Recovery Apps
Cybercriminals are increasingly leveraging fake mobile applications and targeted phishing campaigns to steal sensitive credentials and financial information. Security researchers have identified malicious APKs masquerading as legitimate banking apps, such as a counterfeit YONO SBI app, which can surreptitiously install additional hidden applications and potentially compromise user data. These fake apps exploit trust in well-known brands and can evade detection by mimicking normal app behavior, posing significant risks to users who download apps from unofficial sources. In parallel, authorities such as the Swiss National Cyber Security Centre (NCSC) have warned about sophisticated phishing scams targeting individuals who have lost their iPhones. Attackers use information displayed on the lost device’s lock screen to send convincing SMS or iMessage phishing messages, impersonating Apple’s Find My team and luring victims to enter their Apple ID credentials on fake websites. These incidents highlight the growing threat of social engineering and technical deception in mobile ecosystems, emphasizing the need for vigilance when responding to unexpected messages or installing applications outside official app stores.
4 months agoPhishing Scams Exploiting Common Apps and Meta's Countermeasures
Cybercriminals have increasingly weaponized common applications such as email, messaging platforms, and social media to conduct sophisticated phishing scams targeting users worldwide. Attackers frequently use seemingly innocuous PDF attachments in emails, which are crafted to appear as official documents from trusted brands like Microsoft, DocuSign, or PayPal. These emails often employ urgent subject lines to create a sense of immediacy, prompting recipients to open the attachments. The PDFs themselves are professionally styled and contain official logos, further enhancing their credibility. Victims are typically instructed to call a customer service number, where they are met by impersonators who attempt to extract sensitive information or trick them into installing malware. In addition to email-based attacks, cybercriminals are leveraging vishing techniques, using phone calls—including those made via messaging apps like WhatsApp—to deceive users into revealing confidential data. These calls often originate from foreign numbers and use automated voices to increase the likelihood of success. Recognizing the growing threat, Meta has introduced new security tools for WhatsApp and Messenger to help users identify and avoid scams. On WhatsApp, users now receive warnings when attempting to share their screen with unknown contacts during video calls, reducing the risk of inadvertently disclosing sensitive information. Messenger users can enable a 'Scam detection' feature, which alerts them to suspicious messages from unknown senders and offers the option to submit messages for AI review. If a scam is detected, users are provided with educational information about common scam tactics and options to block or report the sender. Meta has also taken significant action against scam operations, removing over 21,000 Facebook Pages and accounts impersonating customer support representatives. Furthermore, the company has disrupted nearly 8 million accounts linked to criminal scam centers operating from countries such as Myanmar, Laos, Cambodia, the UAE, and the Philippines. These scam centers target individuals globally through various platforms, including messaging, dating apps, and cryptocurrency services. The scams often involve romance baiting and fraudulent job offers, exploiting users' trust and financial vulnerability. Meta's efforts underscore the scale and sophistication of modern phishing campaigns and the necessity for ongoing vigilance and technological defenses. Users are advised to remain cautious when interacting with unsolicited communications, especially those requesting sensitive information or urgent action. The combination of technical countermeasures and user education is critical in mitigating the risks posed by these evolving phishing threats. Organizations and individuals alike must stay informed about the latest tactics used by cybercriminals and adopt best practices to safeguard their information. The ongoing battle between attackers and defenders highlights the dynamic nature of the cybersecurity landscape and the importance of proactive security measures.
4 months agoCredential Theft via Phishing and Social Engineering Techniques
Attackers are increasingly leveraging simple yet effective phishing and social engineering tactics to steal user credentials. One observed method involves sending phishing emails with malicious attachments, such as `.shtml` files, that present fake login screens to unsuspecting victims. These screens are designed to capture any credentials entered and immediately transmit them to attackers via Telegram bots, making detection and takedown more difficult. The phishing campaigns often use compromised legitimate email accounts and minimal social engineering, relying on the likelihood of password reuse across multiple sites to maximize the value of stolen credentials. Another prevalent technique targets iPhone owners whose devices have been lost or stolen. Scammers exploit the contact information displayed on the device's lock screen to send convincing messages that mimic Apple's Find My service, tricking victims into entering their Apple ID credentials on fake websites. With these credentials, attackers can unlock, wipe, and resell the devices, as well as access sensitive personal data. These attacks highlight the ongoing evolution of credential theft tactics, emphasizing the need for vigilance against both low-sophistication phishing and more targeted social engineering schemes.
4 months ago