Cybersecurity researchers pay attention to the phishing companies that represent themselves for popular brands and deceive the goals to cause telephone numbers that are guided by the threatening subjects.
“A considerable part of e -mail threats with a useful PDF load convinces the victims to call the controlled number, showing another popular social engineering technique known as a phone -focused attack (Toad), also known as phishing address,” Cisco Talos Mirzae Mirzaei Mirzaei – Note In a report that shared with Hacker News.
Analysis of phishing emails with PDF attachments between May 5 to June 5, 2025 showed that Microsoft and Docusign are the most provided brands. Nortonlifelock Squad, PayPal and Geek – one of the most identified brands in Toad Emerts with PDF attachments.
Activities are part of wider phishing attacks trying to use people with popular brands to initiate malicious actions. These messages usually include PDF attachments that provide legitimate brands, such as Adobe and Microsoft, to scan malicious QR codes indicating the fake microsoft entry pages, or click on links that redirect users to phishing pages that pose as services such as Dropbox.
It was also found that the PDF’s QR -Playing Code uses PDF’s annotations to embed the URL in a sticky note, comments or form pdf fastening, while linked by the QR -Code with the authentic web page to give the impression that messages are reliable.
In the attacks based on the frog, the victims are persuaded, calling the phone number in the intended attempt to solve the problem or confirm the deal. During the phone call, the attacker masks as a legal client representative and cheats the victim either to disclose secret information or to install malicious software on his devices.
Most frog companies rely on the illusion of urgency, but their efficiency often depends on how convincing attackers mimic real work processes – using the script tactics of the Center, hold music and even fake subscriber IDs.
This technique was A popular method among Actors threatened To install bank trojans on Android devices and remote access program on the victim machines to gain permanent access. In May 2025, the US Federal Bureau (FBI) warned about such attacks committed by a financially motivated group called Luna Moth to break target networks as IT staff.
“The attackers use direct voice communication to use the victim’s trust in phone calls and the opinion that telephone communication is a safe way to interact with the organization,” Mirza said. “In addition, live interaction during a phone call allows the attackers to manipulate the emotions and answers of the victim using social engineering tactics.”
Cisco Talos noted that most threatening actors use voice protocol numbers (VoIP) to remain unknown and complicate the seepage, with some numbers consistently used for four days, allowing the attackers to remove multi -stage social engineering attacks using the same number.
“Brand consumption – one of the most Popular Social Engineering MethodsAnd this is constantly used by attackers in different types of e -mail threats, – the company said.
In the last months of phishing Direct to send To trick the internal users and deliver phishing -leaves without the need to compromise the account. The novel method has been used to orientate over 70 organizations since May 2025 in Voronis.
Seem The reasonable addresses of the host Follow the predictable sample (“
This tactic shares the resemblance to Vishing, Technological Support and Business Compromise (BEC), but is different in delivery and perseverance. While some attackers push the victims to download distance access software like anydesk or TeamViewer, others send them through fake payment portals or advocate for computing departments to gather information about the credit card – overcoming the surface of the attack only.
In one of the phishing emails sent on June 17, 2025, the message was reminiscent of a voicemail notification and included a PDF that contained a QR -code that directed the recipients on the Microsoft 365 account.
“In many of his initial access attempts, the threatening actor used directly sending M365 to focus on an individual organization with phishing messages that have been less validated compared to standard input email,” – security researcher Tom Borneo – Note. “This simplicity makes it directly sending an attractive and low phishing vector for phishing companies.”
Disclosure occurs when new studies from Netcraft found that the request of large language models (LLMS), where you can enter 50 different brands in different sectors such as finance, retail, technology and utilities, offered non -related hosts names that did not belong to the brand in the first place.
“Two -thirds of the time, the model returned the correct URL”, the company – Note. “But otherwise the third results broke as follows: almost 30% of domains were unregistered, parked or other inactive, leaving them open for absorption. Another 5% of pointed users are completely unrelated to enterprises.”
It also means that users can be sent to a fake web -saite simply by asking artificial intelligence (AI) chat, where you can enter by opening the door to the brand and phishing attacks when the threat subjects declare to control these unregistered or non -related domains.
Since Actors threatened already with the help of Tools that work on AI Create phishing -pages On a scale, the last development means a new turn when cybercrime is looking to play LLM, popping up the malicious URL like answers.
Netcraft said he also noticed attempts to poison the AI coding helpers like Cursor, publishing fake API for GitHub, which hide functionality to direct transactions to Blockchain Solana, to the controlled attacker.
“The attacker not just published the code,” said Bilaal Rashid, a security researcher. “They launched blog textbooks, QU & AS forums and dozens of GitHub Repos to promote it. Several fake GitHub accounts were shared by a project called Moonshot-Solume-Bot, carved in accounts with rich biological images, social media records.
Developments also hold coordinated efforts from the threat to the introduction of well -known websites (such as domains and .edu) with JavaScript or HTML, designed to influence search engines on priorities that priori the phishing sites in the search results. This is carried out by an illegal market called Hacklink.
Service “allows cybercriminals to acquire access to thousands of violated sites and introduces a malicious code designed to manipulate search engines algorithms,” security researcher Andrew Sabborn – Note. “The scammers use Hacklink Control Panels to paste links to phishing or illegal websites into the source legitimate code, but compromised domains.”
These weekend links are related to certain keywords so that hacked sites are provided in search results when users are looking for the appropriate conditions. Worse, the actors can change the text that is the result of the search to meet their needs without having to take control of the site by affecting the brand integrity and the trust of users.
