Researchers have discovered a new malvertising campaign using a fake Claude AI website to plant a new, undocumented backdoor named Beagle on user devices.

Scammers are hiding invisible text inside phishing emails to manipulate AI-powered email filters and increase the chances of scams reaching inboxes.

A massive fraud network called FEMITBOT uses Telegram Mini Apps and fake brand names like Apple, Disney, and…

What happened CTM360 researchers have uncovered a large-scale fraud operation using Telegram’s Mini App feature to run cryptocurrency scams, impersonate major brands, and distribute Android malware. The platform behind the operation, dubbed FEMITBOT based on a string found in API responses, uses Telegram bots and embedded Mini Apps to create convincing app-like experiences within the […]

The post Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery appeared first on CISO Whisperer.

The post Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery appeared first on Security Boulevard.

Introduction

The primary goal for attackers in a phishing campaign is to bypass email security and trick the potential victim into revealing their data. To achieve this, scammers employ a wide range of tactics, from redirect links to QR codes. Additionally, they heavily rely on legitimate sources for malicious email campaigns. Specifically, we’ve recently observed an uptick in phishing attacks leveraging Amazon SES.

The dangers of Amazon SES abuse

Amazon Simple Email Service (Amazon SES) is a cloud-based email platform designed for highly reliable transactional and marketing message delivery. It integrates seamlessly with other products in Amazon’s cloud ecosystem, AWS.

At first glance, it might seem like just another delivery channel for email phishing, but that isn’t the case. The insidious nature of Amazon SES attacks lies in the fact that attackers aren’t using suspicious or dangerous domains; instead, they are leveraging infrastructure that both users and security systems have grown to trust. These emails utilize SPF, DKIM, and DMARC authentication protocols, passing all standard provider checks, and almost always contain .amazonses.com in the Message-ID headers. Consequently, from a technical standpoint, every email sent via Amazon SES – even a phishing one – looks completely legitimate.

Phishing URLs can be masked with redirects: a user sees a link like amazonaws.com in the email and clicks it with confidence, only to be sent to a phishing site rather than a legitimate one. Amazon SES also allows for custom HTML templates, which attackers use to craft more convincing emails. Because this is legitimate infrastructure, the sender’s IP address won’t end up on reputation-based blocklists. Blocking it would restrict all incoming mail sent through Amazon SES. For major services, that kind of measure is ineffective, as it would significantly disrupt user workflows due to a massive number of false positives.

How compromise happens

In most cases, attackers gain access to Amazon SES through leaked IAM (AWS Identity and Access Management) access keys. Developers frequently leave these keys exposed in public GitHub repositories, ENV files, Docker images, configuration backups, or even in publicly accessible S3 buckets. To hunt for these IAM keys, phishers use various tools, such as automated bots based on the open-source utility TruffleHog, which is designed for detecting leaked secrets. After verifying the key’s permissions and email sending limits, attackers are equipped to spread a massive volume of phishing messages.

Examples of phishing with Amazon SES

In early 2026, one of the most common themes in phishing emails sent with Amazon SES was fake notifications from electronic signature services.

The email’s technical headers confirm that it was sent with Amazon SES. At first glance, it all looks legitimate enough.

In these emails, the victim is typically asked to click a link to review and sign a specific document.

Upon clicking the link, the user is directed to a sign-in form hosted on amazonaws.com. This can easily mislead the victim, convincing them that what they’re doing is safe.

The resulting form is, of course, a phishing page, and any data entered into it goes directly to the attackers.

Amazon SES and BEC

However, Amazon SES is used for more than just standard phishing; it’s also a vehicle for a very sophisticated type of BEC campaigns. In one case we investigated, a fraudulent email appeared to contain a series of messages exchanged between an employee of the target organization and a service provider about an outstanding invoice. The email was sent as if from that employee to the company’s finance department, requesting urgent payment.

The PDF attachments didn’t contain any malicious phishing URLs or QR codes, only payment details and supporting documentation.

Naturally, the email didn’t originate with the employee, but with an attacker impersonating them. The entire thread quoted within the email was actually fabricated, with the messages formatted to appear as a legitimate forwarded thread to a cursory glance. This type of attack aims to lower the user’s guard and trick them into transferring funds to the scammers’ account.

Takeaways

Phishing via Amazon SES is shifting from isolated incidents into a steady trend. By weaponizing this service, attackers avoid the effort of building dubious domains and mail infrastructure from scratch. Instead, they hijack existing access keys to gain the ability to blast out thousands of phishing emails. These messages pass email authentication, originate from IP addresses that are unlikely to be blocklisted, and contain links to phishing forms that look entirely legitimate.

Since these Amazon SES phishing attacks stem from compromised or leaked AWS credentials, prioritizing the security of these accounts is critical. To mitigate these risks, we recommend following these guidelines:

• Implement the principle of least privilege when configuring IAM access keys, granting elevated permissions only to users who require them for specific tasks.
• Transition from IAM access keys to roles when configuring AWS; these are profiles with specific permissions that can be assigned to one or several users.
• Enable multi-factor authentication, an ever-relevant step.
• Configure IP-based access restrictions.
• Set up automated key rotation and run regular security audits.
• Use the AWS Key Management Service to encrypt data with unique cryptographic keys and manage them from a centralized location.

We recommend that users remain vigilant when handling email. Do not determine whether an email is safe based solely on the From field. If you receive unexpected documents via email, a prudent precaution is to verify the request with the sender through a different communication channel. Always carefully inspect where links in the body of an email actually lead. Additionally, robust email security solutions can provide an essential layer of protection for both corporate and personal correspondence.

Scammers are abusing Google AppSheet and Google Drive to bypass security filters and steal thousands of Facebook Business accounts globally.

A new report from the U.S.-China Economic and Security Review Commission reveals that while China is aggressively prosecuting fraud targeting its own citizens, it continues to turn a blind eye to industrial-scale scam centers victimizing Americans. This selective enforcement has incentivized Chinese criminal syndicates to pivot toward U.S. targets, resulting in over $10 billion in losses in 2024 through "pig-butchering" and crypto investment schemes. As attackers integrate AI to scale these operations and exploit cryptocurrency for money laundering, experts warn that organizations must treat social engineering as a structural infrastructure threat rather than a simple training issue, as diplomatic solutions remain unlikely in the current geopolitical climate

The post China Has its Sights Set on Scammers, Just Not Those Targeting Americans  appeared first on Security Boulevard.

The post Operation Road Trap: Inside the 79,000-Message Smishing Wave Hitting Drivers Worldwide appeared first on Daily CyberSecurity.

The post Unmasking the Phoenix System’s Rogue BTS Smishing Empire appeared first on Daily CyberSecurity.

The post The 11-Step Trap: How a Fake DHL OTP Trick Steals Your Password appeared first on Daily CyberSecurity.

The legal system persists in framing "computer crime" through the archaic lens of tangible property—theft and conversion—despite the fact that information is non-rivalrous and easily duplicated without depriving the original owner of possession. Recent federal indictments, such as the Van Dyke and SPLC matters, reveal a "doctrinally aggressive" expansion where the government claims universal ownership of information to prosecute misuse rather than disclosure. As the Supreme Court moves to narrow the Computer Fraud and Abuse Act (CFAA) and reject "right to control" theories, a widening gap emerges between prosecutorial tactics and judicial constraints, highlighting a desperate need to shift the legal focus from "ownership" to duties of confidentiality and authorized use.

The post It’s Not the Computer, Stupid. It’s the Information in It. Two Recent Indictments Stretch the Limits of “Theft” of Information. appeared first on Security Boulevard.

The post The Global Takedown: FBI and International Allies Dismantle Billion-Dollar Pig-Butchering Empires appeared first on Daily CyberSecurity.

In a major international enforcement action, Operation Tri-Force Sentinel, led by Dubai Police, in coordination with the FBI and Chinese Police, has dismantled a large transnational fraud network involved in global financial scams. The Operation Tri-Force Sentinel crackdown resulted in the arrest of 276 individuals linked to organised cyber-enabled fraud activities spanning multiple countries, primarily involving suspects from Southeast Asia. The Operation Tri-Force Sentinel was carried out under the UAE Ministry of Interior and focused on disrupting criminal syndicates running high-yield investment scams, commonly known as HYIS, “pig butchering” schemes, and virtual currency fraud. Authorities confirmed that nine major fraud centres were dismantled during the coordinated action.

276 Arrests and Nine Fraud Centres Dismantled in Operation Tri-Force Sentinel

As part of the operation, law enforcement agencies executed synchronized raids that dismantled three major criminal syndicates operating fraud centres. These centres were responsible for large-scale financial deception campaigns targeting victims across several regions. The operation led to the arrest of 276 suspects, with authorities confirming that the network used advanced social engineering techniques. Victims were reportedly engaged through digital platforms, where trust was gradually built before financial exploitation took place. Dubai Police also confirmed the arrest of a key leader of one of the syndicates in Thailand, carried out in coordination with the Royal Thai Police. The enforcement action marked one of the most significant coordinated strikes against cyber-financial crime groups in recent times under Operation Tri-Force Sentinel. [caption id="attachment_111753" align="aligncenter" width="553"] Image Source: Dubai Police[/caption]

Dubai Police, FBI, and Chinese Police Coordination 

Dubai Police played a central role in directing and executing Operation Tri-Force Sentinel, enabling real-time intelligence sharing between international partners. The collaboration with the FBI and Chinese Police was described as critical to the success of the operation. Dubai Police stated that the operation reflects a proactive strategy to combat evolving transnational financial crime threats. The agency emphasized that coordinated international efforts were essential to dismantling complex criminal networks operating across borders. The FBI highlighted the significance of joint enforcement efforts, stating that the operation demonstrates the effectiveness of coordinated global action in disrupting large-scale fraud schemes. It further noted that the partnership with the UAE authorities, particularly the Dubai Police, played a key role in achieving operational success. Chinese Police also reaffirmed their commitment to combating telecom and financial fraud crimes. They emphasized continued cooperation with global law enforcement agencies to address emerging cross-border criminal activities targeted in Operation Tri-Force Sentinel.

Transnational Fraud Networks and Financial Crime Disruption

The dismantled network operated multiple fraud centres using structured and organised digital fraud models. These included investment scams and cryptocurrency-related fraud schemes that have increasingly affected victims across several countries. Authorities noted that the criminal groups involved in Operation relied heavily on psychological manipulation and digital engagement strategies to execute financial scams at scale. The coordinated enforcement action disrupted key operational infrastructure of these networks in a single phase.

International Cooperation Strengthened 

This operation highlights the growing importance of international cooperation in tackling financial crime networks that operate beyond national borders. The joint action between Dubai Police, the FBI, and the Chinese Police demonstrates strengthened coordination in intelligence sharing and enforcement execution. Officials involved in the operation emphasized that continued collaboration is essential to countering sophisticated fraud networks. The success of Operation reflects the ability of global law enforcement agencies to respond jointly to complex cyber-enabled financial threats. The operation marks a significant step in global efforts to combat organised fraud networks and reinforces the role of coordinated international enforcement in addressing cross-border financial crime.

Bluekit Phishing Kit is a new PhaaS tool that targets major platforms, using AiTM techniques to steal session data and bypass MFA protections.

The IOCTA 2026 report released by Europol offers a detailed look at how cybercrime is evolving across Europe, with criminals increasingly using artificial intelligence, encryption, and cryptocurrencies to scale their operations. The latest edition of the Internet Organised Crime Threat Assessment outlines key trends shaping the threat landscape and calls for stronger coordination among law enforcement agencies. According to the IOCTA 2026 report, cybercrime is becoming more complex and interconnected, driven by rapid technological advancements. The findings highlight how criminals are adapting quickly, making it harder for authorities to detect, track, and disrupt their activities.

IOCTA 2026 Report Maps Evolving Cyber Threat Landscape

The IOCTA 2026 report serves as a roadmap for understanding emerging cyber threats, covering areas such as online fraud, ransomware attacks, and child exploitation networks. Edvardas Šileris, Head of the European Cybercrime Centre at Europol, emphasized that the report is intended to help law enforcement agencies respond effectively to these evolving risks. He noted that as cybercriminals continue to exploit new technologies, strengthening capabilities and improving collaboration will be essential to protect citizens and critical infrastructure.

Dark Web Fragmentation and Cryptocurrencies Fuel Crime

A key finding in the IOCTA 2026 report is the continued role of the dark web as a central hub for cybercriminal activity. Despite ongoing crackdowns, marketplaces and forums remain active, with criminals frequently shifting platforms to avoid detection. The report highlights how fragmentation and specialization across these platforms make investigations more difficult. Encrypted messaging services and anonymized networks are increasingly connecting surface and dark web environments, reducing the visibility of criminal operations. Cryptocurrencies also play a significant role, according to the IOCTA 2026 report. Privacy-focused coins and offshore exchanges are widely used to launder ransomware payments, making financial tracking more challenging. The report also points to a growing trend of younger individuals becoming involved in cryptocurrency-related activities, sometimes without understanding the legal risks.

AI-Driven Fraud Expands Across Europe

The IOCTA 2026 report identifies artificial intelligence as a major driver of online fraud. Cybercriminals are using generative AI tools to create highly targeted phishing campaigns and social engineering attacks. These tools allow attackers to:

• Personalize fraudulent messages at scale
• Mimic legitimate communication styles
• Automate large-scale scam operations

The report also highlights the use of caller ID spoofing and SIM farms, which enable attackers to send thousands of messages or calls simultaneously. This combination of AI and automation is increasing both the reach and success rate of fraud campaigns.

Ransomware and Data Extortion Remain Key Threats

Ransomware continues to be a dominant threat, as outlined in the IOCTA 2026 report. A large number of active ransomware groups were observed throughout 2025, with many adopting data extortion tactics. Instead of relying solely on encryption, attackers are increasingly threatening to release stolen data to pressure victims into paying. This shift has made cyberattacks more damaging, particularly for public institutions and large organizations. The report also notes growing links between state-sponsored actors and criminal groups, with some cybercriminals acting as proxies in broader geopolitical strategies. Emerging hacking coalitions are adding another layer of complexity to the threat landscape.

Rise in Online Child Exploitation and Criminal Networks

The IOCTA 2026 report highlights a concerning increase in online child sexual exploitation cases. The financial trade of child abuse material is growing, and the use of synthetic content is creating new challenges for investigators. Encrypted messaging platforms are widely used by offenders, making it harder for authorities to monitor and intervene. The report also points to the emergence of organized online communities that engage in multiple forms of criminal activity. These networks combine cybercrime with violent offenses, creating a complex and dangerous ecosystem that extends beyond digital spaces.

Need for Stronger Law Enforcement Collaboration

The findings of the IOCTA 2026 report reinforce the need for improved coordination between governments, law enforcement agencies, and industry stakeholders. As cyber threats become more advanced, isolated efforts are no longer sufficient. The report provides actionable insights and recommendations aimed at strengthening investigative capabilities and improving response strategies. It also stresses the importance of innovation in tackling new forms of cybercrime.

Forcepoint’s X-Labs reports an 11-step DHL phishing scam that uses fake OTP codes and EmailJS to harvest user credentials and device telemetry.

Security Risk in 2026: why unofficial download sources still put users at risk, and how to verify safe, official install paths before installing software.

Research from Infoblox reveals a massive Click2SMS fraud scheme using fake CAPTCHAs and back button hijacking to trick victims into sending costly international texts.

Fake CAPTCHA ClickFix attack tricks users into running malicious commands, using cmdkey and regsvr32 to maintain persistence and avoid detection on Windows

The post Inside the Rise of Dabai Guarantee and the Telegram “Sweeping” Economy appeared first on Daily CyberSecurity.