In 2025, we’re seeing a shift in malicious sites and phishing techniques towards mimicking legitimate technologies we trust in daily use
Cybercriminals are now copying the look, feel, and behavior of trusted technologies. Think Microsoft 365 login pages, Google Drive notifications, or even Zoom meeting invites to lure users into handing over sensitive information. These modern phishing techniques are disturbingly convincing, often indistinguishable from legitimate communications at first glance. In this blog, we’ll explore how attackers are weaponizing familiarity and trust, and what you can do to stay one step ahead.
Fake CAPTCHA
Tricking you into running a virus payload on your windows machine
This attack works by using a feature in modern web applications where you can use a button to copy to clipboard. If you’ve ever used ChatGPT or any other Large Language Model AI, you’ve surely seen that little clipboard icon. In this case, the “checkbox” in the fake CAPTCHA does the same thing. However what you unwittingly copied is a script that does one OR MORE of the following:
- An infostealer malware installer, which installs something like a keylogger or screen recorder to capture your screen when you’re entering a particular site.
- Something that copies documents on your computer, like PDFs, Word, Text Documents, and more to a hacker’s server.
- A ransomware installer
- Something that turns off your antivirus
- A script that deletes files out of your computer
When you follow the instructions, you are opening a “Run” menu in Windows and pasting in the script that was copied to your clipboard by the checkbox.
Remember, a web security check should never ask for anything to be done outside of your browser, unless it’s plugging in a multi-factor key like an external FIDO USB that you set up for that particular site or service. Only install apps that a web page asks you to do.
Fake QR Code
Scan it if you dare
Hover over this code, but don’t tap it just yet! Where is it taking you? This is a demonstration of 2 innocent, legitimate, and trusted technologies being used together to get you to go somewhere you that you didn’t expect to go:
- QR Code, which you’re so used to scanning with your phone anyways
- Link shortener, which redirects you to another location
In our little example here, tiny.cc is a url shortener, and we put in a custom short code of “ciso2025”, which we used in our cybersecurity conference presentations to CISOs to gain their trust at a brief glance – it matches their expectations of a link for a quiz in the presentation.
Instead, they got Rickrolled! A classic internet prank that’s over 1.5 Billion clicks worth of humor since the mid 2000’s. If you did click or scan this link the only damage you did was when you facepalmed extra hard that you got punked by a cybersecurity group’s blog.
But, hackers aren’t so nice. Their links are to phishing sites, tricking you into logging into “your bank”, “Facebook/Meta”, “Twitter/X”, “LinkedIn”, or any other number of places. Now, they have your password, and that little MFA you just did because you were a good user that cares about their security? Guess what, they JUST logged in with it – that’s why they asked.
We’re starting to recommend against using a link shortener in 2025. The original purpose was to compress a long link (such as the one in the URL) to fit in a 160 character or less text message along with a short message explaining to the reader what it was for. That was critical back in the day when text messages cost money PER TEXT to send or receive. Now, these often hide a malicious link or more frequently, have a hidden redirect to an ad or marketing tracker before taking you to your intended destination.
Yes… that means the annoying cookie popup you see on most sites is practically meaningless if a link shortener is used, they still get your data through other means.
NFC Malware
Tap to pay (the hacker)
Tap to pay is a convenient technology. No more fussing with pulling a card out of your wallet. Heck, you can even tap your phone instead of the card. This uses a technology called Near Field Communication (NFC). Which is nice… until it isn’t.
This modern hack doesn’t even phish you in the traditional sense. In fact, it’s actually even something you can get nailed by in a physical store. Or at an ATM! After all, did you ever notice how tapping rarely asks for a PIN?
Click on each of the below headings to see how hackers and thieves are abusing this technology:
Poisoned mobile apps
USUALLY, Google and Apple’s app stores are good about filtering these out. When a developer submits an app or update to the store, the app store scans it for viruses. This can even be done by a real human at times. However, humans and even AIs make mistakes. The picture at the top of this column is one of those examples. The “Supercard X” app pretended to be associated with Twitter/X, but really just wanted to scan your credit card. Once you gave it the permission to scan, it tries to read any nearby cards.
NFC Skimmers
You may have heard of a magnetic skimmer, where a thief inserts a small metal reader into a credit card slot to read your card when you insert it. NFC “skimming” is a similar concept. An NFC reader is relatively slim, and only needs to be a few centimeters from the card to read it. When your card enters proximity of the reader, that’s all they need from you. Look for a raised sticker or something that looks out of place. If it’s on a store credit card reader, feel underneath if it’s one of those thin ones.
The ATM Scam
If someone at an ATM offers to help you with it, refuse and find another ATM! This is part of another social engineering scam to get your debit card. The machine has either already been tampered with, or the “helper” has an NFC reader hidden inconspicuously on their person, like in their watch or under a bandage on their hand. They are just trying to get your card close to their reader so they can steal it. Again, they don’t need to even touch your card, they just need to get close enough to it. Any slight of hand or distracting gesture will give them enough time.
Overall, you should always check your bank or credit card statement regularly to be alert for fraudulent charges. Sign up for text or app notifications from your credit card company or bank. That way as soon as a charge hits, you can check it and challenge it.