A new phishing attack targeting Apple users floods their devices with password reset requests and follows up with fake Apple Support calls, attempting to trick victims into sharing the reset code. The attackers use personal data obtained from People Data Labs to gain the victims' trust. Apple has not yet commented on the matter, and users are advised not to share the reset code with anyone to prevent unauthorized access to their Apple ID.
Apple users are being targeted in an advanced phishing attack that exploits a potential bug in Apple's password reset feature, bombarding them with endless password change notifications in an attempt to trick them into approving the change. Attackers are able to lock users out of their accounts if the request is approved, and they may also make phone calls pretending to be Apple support to obtain one-time password reset codes. The attack seems to exploit a bug in Apple's forgotten password page, and affected users should be cautious and avoid clicking "Allow" on any suspicious requests.
Security researchers have discovered that a Flipper Zero device can be used to execute a phishing attack on Tesla accounts, allowing attackers to unlock and steal cars. By creating a fake Tesla Guest WiFi network, the attacker can trick victims into entering their credentials, enabling them to add a new Phone Key and gain control of the vehicle. Despite the researchers' recommendations for improved security measures, Tesla has stated that the current process is intended behavior and does not require a key card for authentication.
Researchers demonstrated a Man-in-the-Middle (MiTM) phishing attack using a Flipper Zero to compromise Tesla accounts, allowing attackers to unlock and start cars. The attack exploits a security gap in the Tesla app and software, enabling the addition of a new 'Phone Key' without proper authentication. This could be performed using various devices, posing a significant security risk. Despite the researchers' report, Tesla deemed the behavior as intended and did not acknowledge the need for additional security measures.
A sophisticated phishing attack targeting Microsoft 365 users has been discovered by the email security service Vade. The attack involves an email with a malicious HTML attachment that, when opened, leads to a phishing page designed to mimic the Microsoft 365 login interface. Users are prompted to enter their credentials, which are then stolen by hackers. The attack utilizes the website glitch.me to host the phishing pages. Additionally, Vade also uncovered a phishing attack posing as Adobe. To protect against such attacks, users are advised to avoid opening suspicious attachments, be cautious of emails asking for login information, use antivirus software, double-check email addresses, and stay vigilant against deceptive schemes.
