Phishing

Google swiftly disrupted a foreign-based cybercriminal group behind a massive SMS phishing campaign, known as the “Smishing Triad,” after filing a lawsuit. The group used a phishing kit called “Lighthouse” to target over a million people in 120 countries with deceptive SMS messages impersonating legitimate services. These messages led victims to fraudulent websites to steal financial information. Google acted within 24 hours, but details of the shutdown methods were not disclosed. This proactive approach highlights the fight against sophisticated phishing operations.

Google has filed a lawsuit against a Chinese cybercriminal organization, “Smishing Triad,” alleging they orchestrated a massive SMS phishing campaign using the “Lighthouse” phishing-as-a-service kit. This kit facilitated widespread attacks stealing user data by mimicking recognizable brands. Google invokes RICO, Lanham Act, and CFAA, seeking to dismantle the platform and prevent further harm. The lawsuit details a sophisticated operation with specialized subgroups and millions of compromised credit cards, highlighting Google’s commitment to combating online fraud and supporting legislative measures against cybercrime.

A Yubico survey reveals significant cybersecurity habit disparities across major U.S. cities. Nearly half of Americans reuse passwords, while only 3% favor hardware security keys. Seattle and San Francisco lead in MFA and passkey adoption, while Denver lags. The survey exposes a disconnect between perceived and actual security, with many experiencing cyber incidents despite believing they can identify phishing. Yubico advocates for robust, phishing-resistant authentication methods like YubiKeys.

WeChat warns of a new online shopping scam where buyers receive incorrect items. Scammers provide QR codes for “customer service,” leading to phishing attempts. Victims are lured into downloading apps and transferring funds through promises of compensation or task rewards. WeChat advises using official platform customer service for after-sales issues and cautions against trusting excessive compensation offers or prepayment requests.

SquareX warns of a new “Browser in the Middle” phishing technique using fake fullscreen login pop-ups to steal credentials. Exploiting browser vulnerabilities in Chrome, Edge, and Safari, attackers create convincing illusions. Safari is at highest risk due to a lack of visual warnings during the transition to fullscreen mode.