Old Scams, New Tricks: From Fake Shipments to Zero-Days
Malwarebytes Blog highlighted a relentless wave of attacks, demonstrating that even βold-schoolβ scams still net victims. Phishing emails disguised as shipment notifications or iCloud storage alerts now deliver remote access tools and demand payment details, respectively. This underscores a critical reality: social engineering remains a primary attack vector, often preceding more sophisticated malware deployments.
Beyond phishing, the report pointed to several significant threats. Fake Slack downloads are handing attackers hidden desktops, and a Booking.com breach is arming scammers with guest data. Furthermore, a Windows infostealer is spreading via fake Proton VPN sites and gaming mods, demonstrating broad targeting. Critically, Aprilβs Patch Tuesday addressed two zero-days, one of which was under active attack, with another Adobe Reader zero-day capable of triggering merely by opening a PDF.
This landscape demands a multi-layered defense. Attackers are leveraging everything from AI clickbait to blockchain-based infostealers like Omnistealer. Defenders must prioritize user education against social engineering, implement robust endpoint protection, and, most importantly, maintain a rigorous patching cadence. The ubiquity of these threats means every unpatched vulnerability or uneducated click is a potential entry point.
What This Means For You
- If your organization's users are susceptible to phishing, they are likely clicking on these 'shipment arrived' or 'iCloud full' scams, potentially installing remote access software or handing over credentials. Ensure your security awareness training directly addresses these common social engineering tactics. For your IT teams, immediately prioritize April's Patch Tuesday updates, especially for the actively exploited zero-day, and verify all Adobe Reader installations are patched against the PDF-related zero-day. Audit for any unauthorized remote access tools or suspicious Slack client installations.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| Adobe-Reader-Zero-Day | Code Injection | Adobe Reader vulnerable to zero-day via PDF file |
| Windows-Infostealer | Information Disclosure | Windows infostealer distributed via fake Proton VPN sites and gaming mods |
| Omnistealer | Information Disclosure | Omnistealer uses blockchain to steal data |
| Fake-Slack-Download | RCE | Fake Slack download installs remote access software |
| Booking.com-Breach | Information Disclosure | Booking.com breach exposes guest data for scam targeting |
Written by SCW Vulnerability Desk
Related Posts
Microsoft's Emergency Patch: Fixing Broken Windows Server Updates
Microsoft has issued out-of-band updates to address critical issues introduced by their April 2026 security patches for Windows Server. BleepingComputer reports these initial updates caused...
Vercel Confirms Breach, Stolen Data for Sale
Cloud development platform Vercel has confirmed a security incident following claims by threat actors attempting to sell stolen data. BleepingComputer reports that the breach was...
Ransomware Activity Surges: CoinBase Cartel Dominates Latest Attacks
DARKFEED reports a significant spike in ransomware and breach activity over the last 24 hours, with seven distinct incidents identified. The United States remains a...