Google has filed a complaint in court that details the scam: > In a complaint filed Wednesday, the tech giant accused “a cybercriminal group > in China” of selling “phishing for dummies” kits. The kits help unsavvy > fraudsters easily “execute a large-scale phishing campaign,” tricking hordes > of unsuspecting people into “disclosing sensitive information like passwords, > credit card numbers, or banking information, often by impersonating well-known > brands, government agencies, or even people the victim knows.” > > These branded “Lighthouse” kits offer two versions of software, depending on > whether bad actors want to launch SMS and e-commerce scams. “Members may > subscribe to weekly, monthly, seasonal, annual, or permanent licenses,” Google > alleged. Kits include “hundreds of templates for fake websites, domain set-up > tools for those fake websites, and other features designed to dupe victims > into believing they are entering sensitive information on a legitimate > website.”...

A few years ago, scammers invented a new phishing email. They would claim to have hacked your computer, turned your webcam on, and videoed you watching porn or having sex. BuzzFeed has an article talking about a “shockingly realistic” variant, which includes photos of you and your house—more specific information. The article contains “steps you can take to figure out if it’s a scam,” but omits the first and most fundamental piece of advice: If the hacker had incriminating video about you, they would show you a clip. Just a taste, not the worst bits so you had to worry about how bad it could be, but something. If the hacker doesn’t show you any video, they don’t have any video. Everything else is window dressing...

There’s a new cybersecurity awareness campaign: Take9. The idea is that people—you, me, everyone—should just pause for nine seconds and think more about the link they are planning to click on, the file they are planning to download, or whatever it is they are planning to share. There’s a website—of course—and a video, well-produced and scary. But the campaign won’t do much to improve cybersecurity. The advice isn’t reasonable, it won’t make either individuals or nations appreciably safer, and it deflects blame from the real causes of our cyberspace insecurities...

In case you need proof that anyone, even people who do cybersecurity for a living, Troy Hunt has a long, iterative story on his webpage about how he got phished. Worth reading.

This isn’t new, but it’s increasingly popular: > The technique is known as device code phishing. It exploits “device code > flow,” a form of authentication formalized in the industry-wide OAuth > standard. Authentication through device code flow is designed for logging > printers, smart TVs, and similar devices into accounts. These devices > typically don’t support browsers, making it difficult to sign in using more > standard forms of authentication, such as entering user names, passwords, and > two-factor mechanisms. > > Rather than authenticating the user directly, the input-constrained device > displays an alphabetic or alphanumeric device code along with a link > associated with the user account. The user opens the link on a computer or > other device that’s easier to sign in with and enters the code. The remote > server then sends a token to the input-constrained device that logs it into > the account...

I am always interested in new phishing tricks, and watching them spread across the ecosystem. A few days ago I started getting phishing SMS messages with a new twist. They were standard messages about delayed packages or somesuch, with the goal of getting me to click on a link and entering some personal information into a website. But because they came from unknown phone numbers, the links did not work. So—this is the new bit—the messages said something like: “Please reply Y, then exit the text message, reopen the text message activation link, or copy the link to Safari browser to open it.”...

A very security-conscious company was hit with a (presumed) massive state-actor phishing attack with gift cards, and everyone rallied to combat it—until it turned out it was company management sending the gift cards.