Researchers report that a modular phishing kit named Spiderman is targeting European banks and crypto platforms with highly accurate replica login pages. It supports real-time OTP interception, PhotoTAN capture, credit card harvesting, and seed phrase theft.

The kit’s filtering options - by country, ISP, device type - show how tailored phishing operations have become.

Thoughts on how financial services should respond to increasingly modular kits?

Source: https://www.bleepingcomputer.com/news/security/new-spiderman-phishing-service-targets-dozens-of-european-banks/

Follow us for more balanced, technical threat coverage.

#Infosec #ThreatIntel #Phishing #FinancialSecurity #2FA #OnlineBanking #CyberSecurity #DigitalFraud #TechNadu

@quixoticgeek @beasts like @nitrokey or just basic #TOTP / #HOTP or #PGP-based #2FA?

Meine IT Datenschutz Liste
für euch alle !!
:linux: :mastolove:

auch als PDF:

(1)
https://cryptpad.adminforge.de/file/#/2/file/tg0M1BoAJpcdPumgsTq7LiYi/

(2)
https://cryptpad.digitalcourage.de/file/#/2/file/TlnU4Tkq8uzhfjMIFdJRS8GC/

#Datenschutz
#Privatsphäre
#Sicherheit
#DigitaleSouveränität
#Verschlüsselung
#Chatkontrolle
#Linux
#Windows
#Windows10
#Endof10
#Windows11
#Betriebssystem
#Supportende
#Gaming
#Browser
#Fediverse
#Mastodon
#Suchmaschine
#Passwortmanager
#Informationssicherheit
#YouTube
#Werbeblocker
#2FA
#eMail
#Messenger
#UnplugTrump
#UnplugBigtech
#BigTech
#AI
#GraniteAct
#CloudAct #Fisa #ForeignIntelligenceSurveillanceAct
#Meta
#Facebook
#TikTok
#Instagram

Damn, #Yubikey migration almost complete...

It's like most people dependent on smartphones for #2FA logins everywhere, but much worse. Smartphone usually has one #authenticator app, everything visible in one place, Yubikeys have various modules inside and I use most of it for many different things.
Authenticator part here is the easiest one, at least I have nice list of accounts/services to display with one simple command. But I have to remember U2F enabled services myself... Or check how many files I encrypted with GPG, or where I could use ssh keys...
Oh, and I use also pam-u2f and have FIDO LUKS login configured...
:blobCat_anxious_sweat:

Seriously, user could become even more dependent in more complex ways...

Why the hell these things don't just support firmware updates?!

SeedSnatcher – Krypto‑Wallet‑Diebstahl über Telegram

Sicherheitsforschende von CyFirma berichten über die SeedSnatcher-Malware-Kampagne, die Krypto-Mnemonics stiehlt...

Mehr: https://maniabel.work/archiv/734

#Malware #KryptoWallet #2FA #SeedSnatcher #infosecnews #infosec

Salty2FA & Tycoon2FA: Hybrid Phishing Threat

Pulse ID: 693655cde78417611d44abde
Pulse Link: https://otx.alienvault.com/pulse/693655cde78417611d44abde
Pulse Author: Tr1sa111
Created: 2025-12-08 04:36:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#2FA #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111

Millionen #Payback-Konten angreifbar
Stand: 03.12.2025

#Cyberkriminelle nutzen aktuell offenbar eine Schwachstelle im #Sicherheitskonzept von Payback aus, um #Kundendaten und #Bonuspunkte zu stehlen.
#Rewe #Edeka #Penny #Aldi

https://www.tagesschau.de/investigativ/ndr/payback-daten-100.html

also nochmal, für jedes Konto
ein anderes Passwort verwendet,
( PasswortManager )
eine andere E-Mail Adresse,
also am besten mit Alias Mails arbeiten.

Und natürlichen #2FA über all,
persönlich finde Ich USB Token von Nitrokey oder Yubikey oder
oder am effizientesten.

Aegis APP oder Ente Authenticator, reichen auch. !!!

Und haltet euch von Facebook fern !!

today I decided to look around Google Scholar, and man there's a bunch of papers about continuous authentications (such as via bluetooth connection with a smartwatch)

nowadays is continuous auth replacing 2fa and yubikeys soon??

#2fa #cybersecurity #academia #AcademicChatter #privacy

Add jest tests (#8491)

#2fa

https://github.com/2factorauth/twofactorauth/commit/3efd4d1e24e4c64327a7ad89dba3a0c3b1136538

Update Audiofanzine (#8511)

#2fa

https://github.com/2factorauth/twofactorauth/commit/a9c27c420bd8362ec56f90ef1a10edaddd094c8d

Update Scaleway 2FA documentation URL (#8506)

#2fa

https://github.com/2factorauth/twofactorauth/commit/54d588110cb6594efd1e35a467d7ba34773e6112

The #GitHub mobile app is all but useless for responding to PR comments. Honestly, with as shit as the app's other features are, I'm not sure why the app tries to offer any features beyond being a #2FA token.

🧵 …ich muss zum oben verlinkten Video noch dazu ergänzen, dass auch Argon2 & Co. nicht hindern simple Passwörter zu "knacken" (zu erraten). Diesbezüglich ua Regex Bestimmungen dies schon ein wenig von simplen eratbaren Passwörter (zB https://chaos.social/@kubikpixel/115583380853141059) hindert und auch wenn die nicht in @haveibeenpwned aufgeführt sind, könnten die simpel eratbar sein. Das heißt min. 2FA oder gleich Passkeys sind einiges sicherer.

#passkeys #2fa #passwort #itsicherheit #zweifaktorauthentifizierung #regex

Do you use #2FA? Which app? I got tired of always having to pick up my phone. I searched around, and I found Ente Auth. I switched all my 2FA and can now run on Linux & Android. So convenient. I used MS Authenticator before.

[Перевод] Двухфакторная аутентификация (2FA) в Zabbix 7.0

Всем привет! Мы делаем проекты по Zabbix, накопили большую экспертизу и решили сделать переводы нескольких статей, которые нам показались интересными и полезными. Наверняка, будут полезны и вам. Также своим опытом делимся в телеграм-канале zabbix_ru , где вы можете найти полезные материалы и записи наших вебинаров, опубликованных на нашем ютуб-канале (прим. переводчика). Ниже ссылки на предыдущие статьи из цикла. Миграция с MySQL на PostgreSQL SELinux: интеграция с Zabbix и другими инструментами Защита от ложных срабатываний триггеров в Zabbix с использованием функций min/max/avg Zabbix – автоматизация управления пользователями (JIT) В этой статье мы покажем, как легко принудительно включить двухфакторную аутентификацию для группы пользователей в Zabbix и как сбросить токен для генерации TOTP (одноразового пароля с ограниченным сроком действия). Подробности под катом.

https://habr.com/ru/articles/970694/

#zabbix #2fa #2faаутентификация #gals_software #google_authenticator

Your aperiodic reminder that Passkeys don't yet have any sort of universal import / export format (specified by FIDO or elsewhere).

** This means that OS level Passkey support is effectively vendor lock-in to that platform **

If you must or need to use Passkeys then you really do need to use a third-party password manager that supports Passkeys, cross-platform.

If you wish to move from Windows to Linux (or might be forced too move) then you need to take your Passkeys (and passwords) with you relatively easily.

If you currently use Windows and Android (for example) then cross platform is important. Third party password managers will enable this cross-platform flexibility.

Also remember that Passkeys are only as secure and the recovery mechanism., in the event you loose access to that service. This means you probably still need to have strong passwords and TOTP 2SA configured for accounts, especially important ones.

#Passkeye #Passwords #PasswordManagers #2SA #2FA

@hsanhalt Vielleicht kann uns die @hsanhalt dann mal an der @uni-magdeburg.de beraten, wie man einen Single-Sign-On für die universitären IT-Dienste wie E-Mail, Cloud oder Moodle mit einem zweiten Faktor schützt (wie z.B. einem #YubiKey, den ich jedoch rein privat nutze).
Wir nutzen nämlich keine #2FA sondern vertrauen rein auf einen Benutzernamen und ein Passwort, das selbstredend für alle Dienste gleich ist, auch für den WLAN-Zugang.

Salty2FA & Tycoon2FA: Hybrid Phishing Threat

A new hybrid phishing threat combining elements of Salty2FA and Tycoon2FA has emerged, blurring the lines between distinct phishing kits. Analysis reveals a sudden drop in Salty2FA activity, followed by the appearance of samples containing code from both frameworks. The hybrid shows signs of Salty2FA infrastructure failure, forcing a fallback to Tycoon-based hosting and payload delivery. This overlap complicates attribution and weakens kit-specific detection rules. The emergence of this hybrid suggests a possible connection to Storm-1747, known operators of Tycoon2FA. Defenders are advised to update detection logic, expect more cross-kit overlap, and prepare for campaigns with increased flexibility and resilience to infrastructure failures.

Pulse ID: 692f56875686d63e093cc378
Pulse Link: https://otx.alienvault.com/pulse/692f56875686d63e093cc378
Pulse Author: AlienVault
Created: 2025-12-02 21:13:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#2FA #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #RAT #bot #AlienVault

📢 Campagne hybride Salty2FA–Tycoon2FA frappe les boîtes mail à l’échelle mondiale
📝 Selon ANY.RUN Cybersecurity Blog, un **hybride Salty2FA–Tycoon2FA** est en train de **toucher des boîtes mail à l’échelle mondiale** ✉️.
📖 cyberveille : https://cyberveille.ch/posts/2025-12-02-campagne-hybride-salty2fa-tycoon2fa-frappe-les-boites-mail-a-lechelle-mondiale/
🌐 source : https://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/
#2FA #IOC #Cyberveille

New hybrid 2FA phishing behavior spotted: Salty2FA ↔ Tycoon2FA overlap.

Recent samples show shared indicators, fallback execution chains, and mixed payload stages — signaling more modular and flexible phishing-kit architectures.

Key observations:
• Salty2FA activity dropped sharply in late October
• Hybrid payloads incorporate both frameworks
• Infra failures trigger Tycoon fallback
• Attribution & signature-based rules weakened
• Behavior-first detection is becoming essential

Source:
https://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/

💬 Thoughts on kit convergence?

Follow us for more threat intelligence updates.

#infosec #ThreatIntel #Phishing #2FA #Cybersecurity #CTI #BlueTeam