phishing

The Visible Hand: How AI is Already Breaking the Security Model

John Z Black Apr 17, 2026

AI Security #ai-security #claude-mythos #hugging-face #phishing #north-korea

Central banks are panicking over unreleased AI models while hackers are already using them to backdoor Hugging Face and close $100k crypto heists. The weaponized AI era is officially here.

The Attack Isn't Coming From a Stranger. It's Coming From Your GitHub Notifications.

John Z Black Apr 14, 2026

Threat Intelligence #apt37 #north-korea #phishing #github #jira #social-engineering #pushpaganda #google-discover

Four active campaigns documented today share one design principle: the attack arrives from something the target already trusts. APT37 builds friendships on Facebook first. Attackers abuse GitHub and Jira notifications to deliver phishing links that pass SPF, DKIM, and DMARC. A fake rocket alert app spies on people in a conflict zone. AI-generated articles seed Google Discover with scareware.

The W3LL Takedown Is the Third Major PhaaS Bust in 2026. The FBI Is Running a Campaign.

John Z Black Apr 13, 2026

Ransomware & Cybercrime #phishing #phaas #fbi #law-enforcement #mfa-bypass #cybercrime

FBI Atlanta and Indonesian police dismantled W3LL, a full-service phishing-as-a-service platform that had been running since 2019 and was explicitly designed to bypass MFA. It's the third major PhaaS takedown in 2026, and that pattern matters more than any single bust.

They Didn't Get Your Password. They Got Everything Else.

John Z Black Apr 13, 2026

Incidents & Breaches #data-breach #booking.com #basic-fit #phishing #consumer-security #gdpr #social-engineering

Booking.com forced PIN resets. Basic-Fit disclosed a breach hitting roughly one million EU gym members. No passwords were stolen, both companies say. That's not the reassurance it sounds like.

MFA Isn't the Final Barrier Anymore. It Hasn't Been for a While.

John Z Black Apr 10, 2026

Security Operations & Resilience #mfa #phishing #aitm #fido2 #chrome-dbsc #venom-phaas #unc6783 #infostealers #identity-security

Three research teams this week documented MFA failures at login, at the helpdesk layer, and post-session. The answer isn't more MFA. It's hardware-bound authentication.

China's TA416 Is Back in Europe After Two Years. They Brought New Tricks.

John Z Black Apr 6, 2026

Threat Intelligence #china #ta416 #plugx #oauth #phishing #espionage #eu #apt

TA416 has resumed targeting EU government and diplomatic organizations with PlugX malware, now abusing OAuth redirects to slip past traditional phishing defenses.

AI-Written Phishing Emails Get Clicked 450% More Often. The Data Is In.

John Z Black Apr 6, 2026

AI Security #ai #phishing #microsoft #rsac-2026 #tycoon2fa #mfa-bypass #social-engineering

Microsoft telemetry shows AI-assisted phishing lures hit a 54% click-through rate versus 12% for traditional campaigns, a 450% increase that breaks conventional security awareness training.

Microsoft's Device Code Auth Is Now a Criminal Subscription Service

John Z Black Apr 2, 2026

Ransomware & Cybercrime #phishing #microsoft-365 #device-code #eviltokens #bec #phaas #credential-theft

EvilTokens sells device code phishing as a service on Telegram. Over 340 orgs compromised, and victims never see a fake login page.

Hackers Impersonated Ukraine's CERT to Push Malware as a 'Security Tool'

John Z Black Apr 2, 2026

Threat Intelligence #ukraine #cert-ua #impersonation #agewheeze #cyber-serp #phishing #rat

Pro-Russia group Cyber Serp sent fake CERT-UA emails carrying a RAT disguised as a protection tool. They claimed 200K infections. Reality was a handful.

Europol Took Down Tycoon2FA. It Was Back in Days, and Smarter Than Before.

John Z Black Mar 31, 2026

Ransomware & Cybercrime #phishing #tycoon2fa #phishing-as-a-service #microsoft-365 #entra-id #conditional-access #mfa #aitm #europol #crowdstrike

Tycoon2FA's rapid return after Europol's March 4 takedown shows why seizing infrastructure doesn't shut down phishing platforms. The operators pre-staged backup infrastructure before the first domain was seized.

Thirty Seconds. That Is All FAUX#ELEVATE Needs to Own an Enterprise Machine.

John Z Black Mar 30, 2026

Threat Intelligence #phishing #fauxelevate #vbscript #enterprise-security #credential-theft #cryptominer #hr-security

FAUX#ELEVATE skips consumer targets entirely, checks for corporate domain membership first, then steals Chrome credentials and starts mining Monero in about 30 seconds.

Your MFA Isn't Enough. (And Most Places Don't Even Have That.)

John Z Black Mar 29, 2026

Incidents & Breaches #mfa #phishing #oauth #device-code-phishing #microsoft365 #passwordless #azure #authentication #identity-security

A phishing campaign bypassed MFA at 340+ organizations using legitimate OAuth flows, while 76% of companies are still relying on passwords in the first place.

340+ Organizations Hit by M365 Phishing That Bypasses MFA Without Touching Your Password

John Z Black Mar 26, 2026

Threat Intelligence #phishing #microsoft-365 #oauth #mfa-bypass #enterprise-security

A device code OAuth phishing campaign has compromised 340+ organizations since February 2026, bypassing MFA and surviving password resets. It's still running.

Operation Synergia III: 45,000 Malicious IPs Down, 94 Arrested, 72 Countries In

John Z Black Mar 24, 2026

Ransomware & Cybercrime #interpol #operation-synergia #cybercrime #enforcement #phishing #ransomware

Interpol's Operation Synergia III ran six months across 72 countries, sinkholed 45,000 malicious IPs, and made 94 arrests. International cybercrime enforcement is getting better at this.

Two Tools Published This Week Just Broke Chrome's Encryption and Bypassed Your MFA

John Z Black Mar 23, 2026

Threat Intelligence #voidstealer #astaroth #chrome #mfa #credential-theft #phishing #fido2 #passkeys

VoidStealer cracked Chrome's Application-Bound Encryption via a debugger trick, while Astaroth defeats SMS, TOTP, and push MFA in real time -- and the only method that survives both is FIDO2.

Coinbase Is Asking You to Type Your Crypto Wallet Key Into a Website. Don't.

John Z Black Mar 22, 2026

Ransomware & Cybercrime #crypto #coinbase #phishing #seed-phrase #consumer-security #wallet-security

Coinbase Commerce shuts down March 31 and its migration tool asks users to enter their seed phrase into a web form. Security researchers are alarmed -- and they should be.

Your Encrypted Chat Is Fine. Your Trust Model Isn't.

John Z Black Mar 21, 2026

Threat Intelligence #signal #whatsapp #phishing #russian-intelligence #social-engineering #salt-typhoon #messaging-security

The FBI and CISA warn that Russian intelligence compromised thousands of Signal and WhatsApp accounts -- not by breaking encryption, but by tricking users into handing over access. Here's what that means and what to do.

Attacker Scale in 2026: Botnets, EDR Killers, and Phishing-as-Operations

John Z Black Mar 20, 2026

Threat Intelligence #byovd #edr-evasion #phishing #botnets #threat-operations #malware-economics

From BYOVD-based EDR suppression to tax-season phishing pipelines and botnet disruption, attacker scale now comes from operational integration, not one breakthrough trick.

Your Data This Week: Starbucks Employee Breach, Loblaw Customer Data, Steam Malware, and How to Respond to Each

John Z Black Mar 14, 2026

Consumer Security #starbucks #loblaw #steam #data-breach #malware #phishing #consumer #fbi #gaming

Three breaches hit this week through platforms people already trust. Starbucks employee data, Loblaw customer accounts, and FBI-flagged malware hiding in Steam games.

INTERPOL Just Sinkholed 45,000 Criminal IPs and Arrested 94 People Across 72 Countries

John Z Black Mar 14, 2026

Law Enforcement #interpol #operation-synergia #sinkhole #cybercrime #ransomware #phishing #law-enforcement #takedown

Operation Synergia III was one of the biggest cybercrime infrastructure takedowns ever. 45,000 malicious IPs redirected, 94 arrests, 72 countries involved. Here's what that actually means.

Your MFA and Your ZIP Scanner Both Have Blind Spots Attackers Are Already Using

John Z Black Mar 12, 2026

Security Controls #mfa #phishing #aitm #starkiller #zombie-zip #fido2 #passkeys #security-controls #defense

Adversary-in-the-Middle phishing beats standard MFA in real time. Zombie ZIP tricks archive scanners into waving malware through. Two trusted security controls, two systematic bypasses already in the wild.

BlackSanta Kills Your EDR Before You Even Know You're Hit — and It's Coming Through HR

John Z Black Mar 11, 2026

Malware #malware #edr #endpoint-security #phishing #hr-security #blacksanta

New malware called BlackSanta disables your endpoint detection, and it's getting in through HR inboxes. That combo is nastier than it sounds.

ClickFix Is the Social Engineering Trick That Took Over 2026

John Z Black Mar 10, 2026

Threat Intelligence #clickfix #social-engineering #ransomware #teams #phishing #a0backdoor #castlerat #chrome-extensions

A dead-simple social engineering trick is showing up everywhere in 2026. Users paste a command into PowerShell or a Run dialog and boom, malware runs. Three separate campaigns hit this week alone.