U.S. offers $10 million for hackers targeting WhatsApp, Signal users

Order-Tracking App Shop Abused to Push Callback Phishing Attacks

Threat actors are abusing Shopify's Shop order-tracking app by injecting fake purchase receipts from brands like Norton, McAfee, Apple, and PayPal into users' order histories. The fraudulent receipts include a phone number victims are urged to call to dispute the charge — a callback phishing technique. Callers are then socially engineered into revealing credentials, payment details, or one-time passcodes, and sometimes tricked into installing remote access software. Shopify has deployed new controls to reduce the activity. The attack is notable because it exploits user trust in a legitimate app rather than email, and can escalate from consumer fraud to enterprise endpoint compromise if employees are targeted on work devices.

FBI: Russian hackers now target Signal backup recovery keys

FBI và CISA cảnh báo hacker Nga (UNC5792, UNC4221) tấn công vào Signal bằng cách lừa người dùng chia sẻ Backup Recovery Keys thông qua giả mạo hỗ trợ kỹ thuật. Kẻ tấn công có thể khôi phục toàn bộ lịch sử tin nhắn nạn nhân nếu chiếm được key này, ngay cả khi tạo tài khoản mới cùng số điện thoại.

Lập trình viên nên đọc bài này để hiểu cách hackers exploit lỗ hổng trong ứng dụng Signal, từ đó nâng cao kiến thức bảo mật cho các ứng dụng giao tiếp và hệ thống liên quan, giúp phòng ngừa rủi ro khi phát triển hoặc sử dụng các giải pháp an ninh mạng.

France’s statistics department hit by cyberattack on staff directory

France's national statistics agency INSEE suffered a cyberattack exposing personal data of approximately 12,800 current and former staff. The breach, detected on June 19, compromised an internal staff directory (trombi.insee.fr) containing names, identity details, and professional contact information. Critically, passwords, bank details, social-security numbers, and public census data were not affected. A user under the alias 'Saturne' posted the database on a cybercriminal forum. The incident is part of a broader pattern of French government cyberattacks in 2026, with analysts citing chronic underinvestment in cybersecurity and social-engineering vulnerabilities. While the stolen data is low-value in isolation, it can serve as raw material for targeted phishing campaigns against staff.

Bluekit phishing kit adopts browser-in-the-middle for login theft

Bluekit, a phishing-as-a-service platform first documented in April, has evolved to include browser-in-the-middle (BitM) capabilities using the open-source JavaScript library rrweb. This technique streams the legitimate login page's DOM to victims over WebSocket, allowing attackers to capture credentials and session tokens while bypassing MFA. The platform also features sophisticated anti-analysis defenses including randomized CSS filters, obfuscated JavaScript bundles, custom CAPTCHAs, browser fingerprinting, and WebRTC-based VPN/proxy detection. Nearly 70 new hostnames were identified in the past week, indicating active expansion. Indicators of Bluekit activity include WebSocket connections sending encrypted data on login pages and CSS filter manipulation on top-level HTML elements.

Polymarket customers lose $3 million in supply-chain attack

Polymarket, a major cryptocurrency prediction market platform, suffered a supply-chain attack in which hackers injected malicious JavaScript into the platform's frontend via a compromised third-party vendor. Unsuspecting users were tricked into approving fraudulent transactions, resulting in approximately $3 million stolen from fewer than 15 accounts. The stolen funds, initially in PayonUSD, were swapped for roughly 1,893 Ether and bridged from Polygon to Ethereum. Polymarket's own backend infrastructure was unaffected, and the company has pledged full reimbursement to affected customers.

Cybersecurity firms targeted by fraudulent OpenAI organization invites

Threat actors are running a 'Poisoned Tenant' campaign by creating fraudulent OpenAI/ChatGPT organizations that impersonate legitimate companies and inviting targeted employees to join them. Discovered by Push Security after their own employees received invites, the attack uses OpenAI's legitimate notification infrastructure (noreply@tm.openai.com), bypassing email security controls. Attackers research specific employees, attach a real credit card to add legitimacy, and grant invited users Owner privileges. The goal appears to be tricking employees into using the fake workspace as a corporate ChatGPT environment, exposing sensitive data like source code, internal documents, and customer data through AI prompts. The campaign targets cybersecurity and technology firms specifically. Push Security recommends training employees to verify unexpected organization invitations and monitoring SaaS memberships.

FBI says Russian spies now trick Signal users into handing over their backup recovery key

Cơ quan FBI và CISA cảnh báo hacker tình báo Nga (UNC5792, UNC4221) đang lừa đảo người dùng Signal để chiếm đoạt recovery key, cho phép truy cập toàn bộ tin nhắn ngay cả khi đổi thiết bị. Tin nhắn giả mạo hỗ trợ Signal, dụ nạn nhân tiết lộ key thông qua các thủ đoạn xã hội kỹ thuật.

Lập trình viên nên đọc bài này để hiểu cách các nhóm hacker lợi dụng lỗ hổng xã hội trong ứng dụng giao tiếp phổ biến để trộm dữ liệu quan trọng, từ đó nâng cao kiến thức bảo mật cho các ứng dụng web/mobile của riêng mình.