Dark Reading reports a ransomware campaign that leans on impersonating Interpol to pressure small businesses, using straightforward social engineering rather than sophisticated tooling. By dressing up their demands as communications from the international police organization, the attackers try to intimidate owners and staff who may lack dedicated security teams into believing they are in legal trouble and paying up. The campaign spans several regions, including the United States, Europe, and the Middle East. It is a reminder that authority-themed impersonation remains effective against smaller organizations, where a convincing-looking notice can short-circuit normal caution and verification.
Push Security reports that attackers are creating OpenAI organizations that impersonate legitimate companies and inviting employees, including at cybersecurity firms, to join them, aiming to trick people into entering sensitive company information into chats and projects under attacker control. The danger is that the invitations come from OpenAI's own infrastructure, so they are genuine messages and slip past email security controls that would catch ordinary phishing. It is a reminder that trusted SaaS platforms can be turned into phishing channels through their normal invitation features, where the message itself is legitimate even though the inviting organization is fraudulent. Verification of unexpected invites is the key defense.
The FBI and CISA have updated an earlier warning about Russian intelligence targeting Signal accounts, noting the operators have added a step: tricking targets into handing over their Signal backup recovery key. With that key, an attacker can restore the account's backup, read its private and group message history, and take over the account, and the key keeps working afterward. The campaign uses social engineering against high-value targets such as government officials, military personnel, and journalists. It reflects a broader shift toward stealing the recovery and session secrets that sit behind multi-factor authentication rather than attacking the login directly.
Attackers are abusing Shop, the order-tracking app from Shopify, by getting fake purchase receipts to appear in users' order histories, then using them to lure victims into callback phishing. Because the bogus orders show up inside a legitimate, trusted app rather than in an easily spotted scam email, they look convincing. The fake receipts typically reference an unexpected charge and a phone number to call to dispute it; when the victim calls, the scammers pose as support staff and walk them into handing over sensitive information or account access. It is a twist on callback phishing that borrows credibility from a real shopping platform.
Kaspersky is tracking an active campaign that spreads through WhatsApp by hijacking real accounts and sending their contacts a script file disguised as a business or financial document, with no accompanying message. If a Windows user opens it, the script disables User Account Control protections and silently installs ManageEngine Endpoint Central, a legitimate IT remote-management tool, configured to connect to attacker servers and hand them remote control of the machine. Using trusted contacts and signed, legitimate software helps the attack slip past suspicion and many security tools. The campaign spans several countries, with most confirmed victims in Malaysia, and how the WhatsApp accounts are compromised is still unknown.
iRhythm, the US digital-health company behind the Zio wearable heart monitor, has told regulators that attackers stole patient data in a breach it considers material. In an SEC filing, the company said it detected unauthorized activity on June 8 in third-party-hosted business applications, accessed through a social-engineering attack, and received an extortion demand the next day from a threat actor claiming to hold proprietary data, protected health information, and other personal data. iRhythm says its clinical systems, medical devices, patient safety, and operations were not affected, with no payment-card or financial data involved. No ransomware group has publicly claimed the attack, and the number of affected people is not yet known.
Mandiant has detailed how the extortion crew Silent Ransom Group (also tracked as Luna Moth and UNC3753) is breaking into US law firms and other professional-services companies through phone calls rather than malware. Attackers send a harmless-looking invoice or data-migration email, then call the target pretending to be internal IT support, talk them into starting a screen-share, and get them to install a remote management tool that hands over access. From there, Mandiant has seen data located, staged, and stolen in under an hour. The group skips encryption entirely, instead threatening to leak stolen files unless paid. A recent FBI alert added in-person office visits to the playbook.
The Five Eyes intelligence agencies (US, UK, Canada, Australia, and New Zealand) issued a joint bulletin, "Safeguarding Our Secrets," warning that Chinese military intelligence officers are posing as recruiters on sites like LinkedIn, Indeed, and Upwork. Fronting as think tanks, consultancies, or HR firms, they post fake jobs such as foreign-policy or defense-analyst roles, then use the interview process to pressure targets into handing over classified or non-public information. The agencies say current and former government, military, defense-contractor, research, and journalist personnel are all in scope, with extra focus on those tied to the Indo-Pacific. The goal is harvesting privileged military, political, and economic intelligence.
Baker Distributing, one of the largest US wholesalers of heating, cooling, and refrigeration equipment, has been hit by the extortion group ShinyHunters, which stole company data and posted it after the company did not pay. Breach-tracking service Have I Been Pwned has now confirmed 102,935 affected accounts; the gang originally claimed more than 260,000 stolen records pulled from Salesforce and internal SharePoint sites, including HR documents. ShinyHunters has been on a tear this year, breaking into corporate SaaS accounts by tricking IT help desks into resetting credentials. Exposed personal and business data fuels follow-on phishing aimed at Baker's customers and staff.
With the FIFA World Cup kicking off June 11 across the US, Canada, and Mexico, the FBI and researchers at Group-IB and Fortinet warn that a large fraud operation is already running. Group-IB tracked more than 4,300 fake FIFA websites and a Chinese-speaking crew, GHOST STADIUM, that cloned the official site pixel-for-pixel, fake login and all, across 300-plus domains. Scams include bogus ticket, merchandise, and hospitality sites, fake streaming apps that hide banking malware, and betting sites that harvest passport scans for identity theft. With tickets scarce and 150 million requests filed, scammers are exploiting fans' urgency to steal logins, money, and personal data.