Cybercriminals are finding new ways to trick people into compromising their own devices and accounts. One campaign used a sponsored ad on X to target Mac users, while another technique, dubbed ConsentFix, steals Microsoft 365 accounts without installing malware.
Researchers have discovered a ClickFix-style attack running as a sponsored advertisement on X. The ad was posted from a verified account, adding an extra layer of credibility to the scam.
ClickFix campaigns use convincing lures—historically fake “human verification” screens, and now a fake download for DynamicLake, a legitimate macOS utility that turns your MacBook’s notch into an unofficial but functional version of Apple’s Dynamic Island. This type of attack requires the user to paste a command from the clipboard, making it depend heavily on user interaction.
Read more…
Source: MalwareBytes Labs
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- CISA: KEV Catalog reaches 1000, what does that mean and what have we learned
September 18, 2023
Every organization is confronted by a common cybersecurity challenge: there are too many vulnerabilities in technology products. This makes it difficult to prioritize limited resources – with over 25,000 new vulnerabilities released in 2022 alone, where should an organization begin? As a starting point, we know that the majority of vulnerabilities are never exploited by ...
- One of the FBI’s most wanted hackers is trolling the U.S. government
September 18, 2023
Earlier this year, the U.S. government indicted Russian hacker Mikhail Matveev, also known by his online monikers “Wazawaka” and “Boriselcin,” accusing him of being “a prolific ransomware affiliate” who carried out “significant attacks” against companies and critical infrastructure in the U.S. and elsewhere. The feds also accused him of being a “central figure” in the development ...
- Latest evolution of ‘pig butchering’ scam lures victim into fake mining scheme
September 18, 2023
Crypto fraud has become the dominant form of Internet-based confidence schemes over the past three years, as demonstrated by the sha zhu pan (“pig butchering”) scams Sophos researchers recently investigated. But one variant has been growing at a particularly rapid pace: fake “liquidity mining.” Sophos X-Ops has also seen growth in crypto phishing sites that connect ...
- Microsoft AI researchers accidentally exposed terabytes of internal sensitive data
September 18, 2023
Microsoft AI researchers accidentally exposed tens of terabytes of sensitive data, including private keys and passwords, while publishing a storage bucket of open source training data on GitHub. In research shared with TechCrunch, cloud security startup Wiz said it discovered a GitHub repository belonging to Microsoft’s AI research division as part of its ongoing work ...
- CISA Adds Eight Known Exploited Vulnerabilities to Catalog
September 18, 2023
CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2022-22265 Samsung Mobile Devices Use-After-Free Vulnerability CVE-2014-8361 Realtek SDK Improper Input Validation Vulnerability CVE-2017-6884 Zyxel EMG2926 Routers Command Injection Vulnerability Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency Related: CISA Adds One Known Vulnerability to Catalog
- HWL Ebsworth hack: 65 Australian government agencies affected by cyber-attack
September 18, 2023
Sixty-five Australian government departments and agencies were victims of the cyber-attack on legal firm HWL Ebsworth, the national cybersecurity coordinator has revealed. In a speech on Monday, Air Marshal Darren Goldie also revealed that some people and clients with personal information exposed in the hack have yet to be informed. The Russian-linked ALPHV/BlackCat ransomware group hacked the law ...

