Phishing and Financial Fraud Campaigns Targeting Online Accounts and Payment Data
Threat researchers reported multiple financially motivated social-engineering operations designed to steal credentials and enable downstream fraud. Malwarebytes documented a job-themed phishing campaign impersonating Google Forms via the lookalike domain forms.google.ss-o[.]com, using a generation_form.php script to generate personalized lure URLs and redirecting victims through a fake form to a credential-harvesting login flow (e.g., id-v4[.]com). The infrastructure also used redirection to local Google search pages as an anti-analysis tactic to reduce link sharing and researcher visibility.
Separately, Bridewell-reported activity described a Booking.com-themed, multi-stage phishing and fraud scheme targeting both hotel partners and guests: initial “complaint”/reservation lures drive staff to attacker-controlled portals using lookalike domains (including IDN homograph tricks) to harvest partner credentials, followed by account takeover and guest-facing fraud (including WhatsApp outreach using real booking details). A third report described the broader rise of Carding-as-a-Service (CaaS) marketplaces (e.g., “fullz” bundling and platforms such as Findsome and UltimateShop) and the supply chain feeding them (PhaaS credential theft, skimming, and malware), but it did not describe the same specific phishing incidents and should be treated as related background rather than part of the same event.
Sources
Related Stories
Phishing and fraud campaigns abusing trusted infrastructure and communications
Threat actors are increasingly improving phishing success rates by abusing *trusted* channels and infrastructure rather than relying on generic lures. One observed intrusion hijacked an active executive email thread via a compromised contractor account, allowing the attacker to reply inline with a link to a Microsoft 365 lookalike login flow; analysis of detonated samples indicated use of the **EvilProxy** adversary-in-the-middle phishkit, with layered anti-bot gating (e.g., Cloudflare Turnstile) and dynamic HTML/PDF content to capture credentials without exploiting software vulnerabilities. Separately, Rapid7 documented a cloud-abuse incident where attackers used **compromised AWS credentials** to stand up phishing/spam operations using **AWS WorkMail**, leveraging Amazon’s sender reputation and sidestepping typical **SES** anti-abuse controls while generating limited, service-native telemetry that can blend into normal administrative activity. A parallel, large-scale consumer fraud operation aligned with the **“PayTool”** ecosystem was reported targeting Canadian residents through SMS-driven lures (e.g., unpaid fines) that route victims through high-fidelity impersonations of the **Government of Canada**, **Air Canada**, and **Canada Post**, including province-selection workflows designed to mimic legitimate federal-to-provincial service handoffs before directing victims to localized scam domains. In contrast, LevelBlue SpiderLabs’ write-up is broader sector telemetry on education-targeted attacks (e.g., brute force `T1110`, credential dumping `T1003`, Kerberos ticket forgery `T1558`) and does not describe the same specific phishing/fraud campaigns, though it reinforces that credential theft remains a dominant initial access path across industries.
1 months ago
Phishing Campaigns Abuse Trusted Platforms and Collaboration Tools to Steal Credentials
Multiple reports describe a broader **credential-theft trend** in which attackers abuse trusted services and familiar business workflows to make phishing more convincing and harder to detect. One campaign used **compromised WordPress sites** and redirects through `skimresources[.]com` to deliver pixel-perfect fake login pages for **Microsoft Teams**, **Xfinity**, and **UAE Pass**, with lures such as missed voicemail and shared-document alerts. Another campaign abused **LiveChat**'s `lc[.]chat` infrastructure to impersonate brands like **PayPal** and **Amazon**, moving victims into fake support conversations designed to extract sensitive information under the guise of refunds or order issues. A separate industry report reinforces the same operational pattern: attackers increasingly rely on **valid credentials** and trusted collaboration tools rather than software exploits, with cloud identity compromise driving most investigated incidents and some intrusions using **Microsoft Teams voice phishing** and **Quick Assist** to gain access, move laterally, and deploy ransomware. Other references in the set cover different stories entirely, including the **CamelClone** espionage operation, a **FancyBear/APT28** infrastructure exposure, and a general weekly security recap, and do not describe the same phishing activity. This is **not fluff** because the relevant items contain substantive threat intelligence on active attack methods, delivery infrastructure, and attacker tradecraft.
Yesterday
Large-Scale Online Scam Operations and Cross-Platform Fraud Tactics
Researchers and industry reporting highlighted a sharp rise in **online scam infrastructure**, including a network of more than **20,000 fake shopping sites** built to steal payment data and personal information, and phishing campaigns that use **LiveChat-style customer support impersonation** to extract credit card details, PII, and even MFA codes. The fake-shop ecosystem uses polished storefronts, shared infrastructure, and rapid rebranding to mimic legitimate retailers at industrial scale, while the LiveChat campaigns begin with deceptive emails and move victims into real-time conversations with fake support agents posing as brands such as *Amazon* and *PayPal*. Separately, **Google, Meta, Amazon, and other companies** announced a voluntary intelligence-sharing pact to combat online scams across social media, marketplaces, messaging, and payments platforms. That agreement is related to the broader rise in fraud, but it is not about the same specific scam operations described in the threat reports. The combined reporting shows that scam activity is increasingly coordinated, multi-platform, and enabled by reusable infrastructure and social engineering techniques that make fraudulent interactions appear legitimate to victims.
Today