Ransomware attacks remain the top cyber-enabled threat seen by law enforcement. But phishing, business email compromises and other types of fraud - many now using a COVID-19 theme - also loom large, Europol warns in its latest Internet Organized Crime Threat Assessment.
Australian police say they've broken up a sophisticated SMS phishing scheme designed to collect personal details and bank login credentials. It's a rare success in the fight against unsolicited text messages.
The posting on Russian underground forums of source code for the Android mobile banking Trojan Cerberus has led to an increase in attacks as well as updates to the malware, the security firm Kaspersky reports.
The average amount stolen in a business email compromise scam increased 48% during the second quarter of 2020, but the number of attacks decreased during that period, the Anti-Phishing Working Group reports.
So-called "cybersquatting" attacks are surging, with financial and e-commerce websites - including those of PayPal, Royal Bank of Canada, Bank of America and Amazon - among the most frequent targets, according to Palo Alto Networks' Unit 42.
The operators behind the Qbot banking Trojan are deploying a new version of the malware that uses hijacked Outlook email threads to send personalized phishing emails, according to Check Point Research. This campaign has targeted over 100,000 victims worldwide.
Card-not-present fraud is rising as fraudsters inject malware into e-commerce websites to harvest account information, says Gord Jamieson of Visa. But the artificial intelligence models used to detect this fraud need to be refined to better mitigate this threat, he says.
FINRA, a private organization that helps self-regulate brokerage firms and exchange markets, is warning that fraudsters have recently started creating spoofed websites and domains using members' real names and images in an attempt to steal personal information and credentials.
Ransomware gangs continue to see bigger payoffs from their ransom-paying victims, driven by "big-game hunting," data exfiltration and smaller players seeking larger returns, according to ransomware incident response firm Coveware.
Who watches the penetration-testing testers? Questions are circulating over how some organizations train their employees for the CREST pen-testing certification after some leaked internal documents appeared to contain material from past tests.